Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent malware/possible rootkit?


  • Please log in to reply
84 replies to this topic

#1 balfiecat

balfiecat

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alaska
  • Local time:03:00 PM

Posted 17 January 2010 - 09:31 PM

First signs of trouble were event logs with errors, one nonspecific "serious error" on start up, and extremely slow pc performance (CPU was always at 100% according to task manager). Then AVG found Win32/Cryptor but no longer reports that threat. I've run AVG several times and found other threats. Have not run anything like Spybot. Have not run any scans in safe mode. Below are the results from MalwareBytes. .Appreciate the help!

First priority is cleaning my machine, but I would also like to know if I could have gotten infected from an external hard drive my pc was writing to, not from, and could my memory stick infect someone elses computer?

Malwarebytes' Anti-Malware 1.44
Database version: 3584
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/17/2010 12:36:44 PM
mbam-log-2010-01-17 (12-36-34).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 350529
Time elapsed: 1 hour(s), 30 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> No action taken.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken.


Oh, log says i have IE 7 but I never use it. i use Firefox if that matters, XP sp3, AVG, Zone Alarm. Thought AdAware was uninstalled but apparently i just disabled if from config startup.

Edited to reflect entire log and thank you, AustrAlien!

Edited by balfiecat, 17 January 2010 - 10:34 PM.


BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:00 AM

Posted 17 January 2010 - 09:35 PM

Welcome to BC, balfiecat :thumbsup:

Link to topic in AVG Free Forums ....
Win32/Cryptor and Trojan horse Downloader.Generic9.AHOJ

Be back to you soon.
'Alien
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 balfiecat

balfiecat
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alaska
  • Local time:03:00 PM

Posted 17 January 2010 - 09:49 PM

How nice! An actual welcome!

Thank you for adding the link. i was not sure how much to post or repeat.

I

Edited by balfiecat, 17 January 2010 - 10:04 PM.


#4 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:00 AM

Posted 17 January 2010 - 10:05 PM

How sweet - an actual welcome!

balfiecat
Yes, it is a bit of a contrast with the reception you might get in some other places: BC is friendly (that is an order from above!), and prides itself on providing helpful responses to new/unfamiliar computer users under stress (that means, "I must be very patient and explain things fully and clearly in English and not computer jargon!").

Please, when posting logs, copy and paste the whole log (do not remove the bits from the top ... or the bottom, for that matter ... we like/need to see the info in the top bit, called the header!)

For the duration of our work, please disable AVG's Resident Shield ... see following link for instructions
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Do not forget to enable it when we have finished and before browsing the internet again!

Let's see what we can do with your malware problem ....

:huh: Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. (TFC will close ALL open programs including your browser!)
  • Double-click on TFC.exe to run it. (If you are using Vista, right-click on the file and choose "Run As Administrator".)
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
:trumpet: Please launch Malwarebytes' Anti-Malware and update with the latest malware definitions.

On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected. <<< Note: Quick Scan (not Full Scan)
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note 1: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless of whether you are prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2: MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs


:flowers: Please download SUPERAntiSpyware
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your Desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and click View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
:inlove: Please download Dr.Web CureIt! and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (something like this ... 5mkuvc4z.exe).
(Or download drweb-cureit.exe from here )

Print these instructions (or copy them to a Notepad file) so they will be accessible: Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Now, reboot your computer in "Safe Mode" using the F8 method. (To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows logo splashscreen appears) press the F8 key repeatedly. The "Windows Advanced Options Menu" will appear with several options. Use the Up/Down arrow keys to navigate and select the option to run Windows in "Safe Mode".)

Scan with Dr.Web CureIt! as follows:
  • Double-click on <the randomly named file that you downloaded> to open the program and click Start.
  • If you see a message, warning that Dr.Web CureIt! is available free only for personal use, click Cancel to continue.
  • Click Start. (There is no need to update if you just downloaded the most current version.)
  • Read the "Dr.Web scanner anti-virus check" prompt and click Ok where asked to "Start scan now?"
    Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders.)
  • If prompted to download the "Full version / FREE trial", ignore it, and click the X to close the window.
  • If you see a message, warning that your HOSTS file has been modified and asking if you would like to restore it, click Yes.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured.)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply > Ok.
  • Back at the main window, click the green arrow Posted Image ("Start Scanning") button on the right, under the Dr.Web logo.
    (Please be patient as this scan could take a long time to complete.)
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click File and choose Save report list.
  • Save the DrWeb.csv report to your Desktop. :thumbsup: <<< Important!
  • Exit Dr.Web CureIt! when done.
Important! Reboot your computer normally (not to Safe Mode) because it could be possible that files in use will be moved/deleted during reboot.

After rebooting, post the contents of the log from Dr.Web.
  • On your Desktop, right-click on DrWeb.csv and choose Open with > Notepad
  • Copy and paste the entire file contents in your next reply.
    *******************************************
:huh: Now, please run a Full Scan this time with MBAM after again updating. Remove what it finds and then post the log from that too.

Edited by AustrAlien, 17 January 2010 - 10:12 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#5 balfiecat

balfiecat
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alaska
  • Local time:03:00 PM

Posted 17 January 2010 - 10:48 PM

:thumbsup: You saw my original comment ! It was because I'd seen so many non-responsive and/or condescending first or second replies that i began by making it known I get the senior discount at the grocery store :flowers: I absolutely dreaded having certain posters respond and almost did not post at all.

Well I'm off to do my homework. The scans will probably be much faster than I will be reading and following the instructions :trumpet: My brain welcomes the stimulation-, but I wish it didn't involve a problem on my pc!

And Thank you for the links and instructions...

#6 balfiecat

balfiecat
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alaska
  • Local time:03:00 PM

Posted 18 January 2010 - 01:32 PM

I think I might have made a mistake. When i got into safe mode to run SUPERAntiSpyware both fixed drives C and D were checked in SUPERAntiSpyware . I suspected you intended for me to scan both but the only one you emphasized having checked was C so I UNCHECKED drive D where the restore folders are. I do have restore turned off. Should I go back and scan D or both C and D or is it okay as is? There were only 3 tracking cookies. Was it only scanning for tracking cookies?

If you have time to explain, why did I uncheck Use kernel direct file access , kernel direct registry access, and direct disk access? Would i normally want to keep those checked to use this software under normal conditions? It found a safeway cookie from the grocery store and I havent been to that web site for weeks if not months so I would have thought one of the ohter scanners would have caught it!

Also the program that previously showed up as non responding during shut down - the one that had a name with only one character - has not reappeared . Does that mean the trojan or cryptor is really gone?

Thank you :thumbsup:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/18/2010 at 07:43 AM

Application Version : 4.33.1000

Core Rules Database Version : 4487
Trace Rules Database Version: 2303

Scan type : Complete Scan
Total Scan Time : 10:26:27

Memory items scanned : 223
Memory threats detected : 0
Registry items scanned : 6401
Registry threats detected : 0
File items scanned : 193383
File threats detected : 3

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
.safeway.112.2o7.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ipg7v1bi.default\cookies.txt ]
.apmebf.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ipg7v1bi.default\cookies.txt ]

Edit: It occurs to me you probably won't see this for awhile (i think it is very early morning tomorrow your time) so I am going to move on with the next step .

Something else that has just dawned on me, I had stated that i had only one drive - yet there was an error or something referring to drive 3. I wonder if it meant the external drive and counted C and d as drives 1 and 2 ....

Edited by balfiecat, 18 January 2010 - 01:44 PM.


#7 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:00 AM

Posted 18 January 2010 - 02:52 PM

How many user accounts do you have on the system?

The fact that SAS only found tracking cookies is a good sign.

What happened to Step 2 ... the Quick Scan with MBAM ? Please post the log.

You are doing well: Keep going, and you may post the logs as you complete them if you wish, instead of posting them all together after you have finished.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#8 balfiecat

balfiecat
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alaska
  • Local time:03:00 PM

Posted 19 January 2010 - 09:31 PM

:thumbsup: Well that question was unexpected! As far as I know i only have one user account, although it is not outside the realm of possibility that i have been here before a long time ago. Because of your question I looked at member names and see there are 2 others that are similar. Is that why you asked? I could see myself using 'Balfie', but I know that one isn't me because I've never gotten one of those hi-jack logs done. The other just didn't look familiar at all and isn't something I would come up with. I am not that creative - I took this nick directly from an email address and even that was not named by me (I inherited the email account because he wasn't using it anymore, it was already set up on Outlook and by using it for registrations I protect my daily one from spam).

Boy, I do not even remember what happened with either MalwareBytes or SUPERAntiSpyware.. I will look for those logs and post them. I saw above that I did not run it on D - should I have? I did run AVG right after rebooting following the Dr.Web CureIt and it found tracking cookies. But I was not even online (was in safe mode the entire time until rebooting) so can't understand how i got them.

Every time I try to open the Dr Web log a pre-installed program I haven't paid for tries to open :then can't so I used 'open with' but the log is barely readable in this form. I only see one log and I think it is from the long scan. i do not remember what happened with the short scan. They both took a long time.

MBAM (I thought I had run it more than once and that it came up clean but I only saw this in My Documents)
Malwarebytes' Anti-Malware 1.44
Database version: 3584
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/17/2010 12:36:44 PM
mbam-log-2010-01-17 (12-36-34).txt

Scan type: Full Scan (C:\|D:\|)
Objects s0000000000000000canned: 350529
Time elapsed: 1 hour(s), 30 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> No action taken.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken.




Malwarebytes' Anti-Malware 1.44
Database version: 3584
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/17/2010 2:23:44 PM
mbam-log-2010-01-17 (14-23-44).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 350529
Time elapsed: 1 hour(s), 30 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.



Malwarebytes' Anti-Malware 1.44
Database version: 3584
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/17/2010 5:39:46 PM
mbam-log-2010-01-17 (17-39-46).txt

Scan type: Quick Scan
Objects scanned: 146129
Time elapsed: 6 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





Malwarebytes' Anti-Malware 1.44
Database version: 3586
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/17/2010 7:46:15 PM
mbam-log-2010-01-17 (19-46-15).txt

Scan type: Quick Scan
Objects scanned: 129758
Time elapsed: 4 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Dr.Web CureIt (created at Today, January 19, 2010, 9:44:21 AM according to fiile properties so it was the result of the long scan)

MeMediaSetupInst.exe\MeMediaSetup.exe;C:\Documents and Settings\Owner\My Documents\Set Up Files\card gaMes\freecellsetup.exe/data002/{app}\MeMediaSetupInst.exe;Adware.SaveNow.origin;;
{app}\MeMediaSetupInst.exe;C:\Documents and Settings\Owner\My Documents\Set Up Files\card gaMes\freecellsetup.exe/data002/{app};Archive contains infected objects;;
data002;C:\Documents and Settings\Owner\My Documents\Set Up Files\card gaMes;Archive contains infected objects;;
freecellsetup.exe;C:\Documents and Settings\Owner\My Documents\Set Up Files\card gaMes;Container contains infected objects;Moved.;
zlsSetup_70_470_000_en.exe/Z4BARSPINSTALL.EXE/data001\data001;C:\Documents and Settings\Owner\My Documents\Set Up Files\zone alarm\zlsSetup_70_470_000_en.exe/Z4BARSPINSTALL.EXE/data001;Adware.MyWebSearch.22;;
data001;C:\Documents and Settings\Owner\My Documents\Set Up Files\zone alarm;Container contains infected objects;;
Z4BARSPINSTALL.EXE;C:\Documents and Settings\Owner\My Documents\Set Up Files\zone alarm;Container contains infected objects;;
zlsSetup_70_470_000_en.exe;C:\Documents and Settings\Owner\My Documents\Set Up Files\zone alarm;Archive contains infected objects;Moved.;
zlsSetup_70_483_000_en.exe/Z4BARSPINSTALL.EXE/data001\data001;C:\Documents and Settings\Owner\My Documents\Set Up Files\zone alarm\zlsSetup_70_483_000_en.exe/Z4BARSPINSTALL.EXE/data001;Adware.MyWebSearch.22;;
data001;C:\Documents and Settings\Owner\My Documents\Set Up Files\zone alarm;Container contains infected objects;;
Z4BARSPINSTALL.EXE;C:\Documents and Settings\Owner\My Documents\Set Up Files\zone alarm;Container contains infected objects;;
zlsSetup_70_483_000_en.exe;C:\Documents and Settings\Owner\My Documents\Set Up Files\zone alarm;Archive contains infected objects;Moved.;
NPZoneSB.dll;C:\Program Files\Mozilla Firefox\plugins;Adware.MyWebSearch.22;Moved.;
NPZONESB.DLL;C:\Program Files\ZoneAlarmSB\bar\1.bin;Adware.MyWebSearch.22;Moved.;
aolcinst.exe\core.cab\GTDOWNAO_106.ocx;D:\i386\Apps\App13914\comps\coach\aolcinst.exe;Adware.Gdown;;
aolcinst.exe;D:\i386\Apps\App13914\comps\coach;Archive contains infected objects;Moved.;


The this afternoon AVG scan found tracking cookies. The pc was off line - I had unplugged it and the only thing I did on that computer was run AVG after rebooting from the DrWeb scan.

P.S. I might have been mistaken and did re-hook up my pc to the internet sometime today after dr web finished and before i ran the avg scan.. I do not remember doing so or using the browser or anything and am pretty sure i didn't, but i am not positive..

P.S.S. Sorry i forgot to post the MalwareBytes logs before.

Edited by balfiecat, 20 January 2010 - 02:29 AM.


#9 balfiecat

balfiecat
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alaska
  • Local time:03:00 PM

Posted 19 January 2010 - 09:52 PM

Tried to make this a little easier to read, but I can barely see the semi colons or colons and am not sure where the breaks are supposed to be. I do not understand why some things were moved and others weren't.


Dr.Web CureIt (created at Today, January 19, 2010, 9:44:21 AM according to file properties so it was the result of the long scan - but I am pretty sure that scan ended at around 5 or 6 am)

MeMediaSetupInst.exe\MeMediaSetup.exe; C:\Documents and Settings\Owner\My Documents\Set Up Files\card gaMes\freecellsetup.exe/data002/{app}\MeMediaSetupInst.exe; Adware.SaveNow.origin;;

{app}\MeMediaSetupInst.exe; C:\Documents and Settings\Owner\My Documents\Set Up Files\card gaMes\freecellsetup.exe/data002/{app}; Archive contains infected objects;;

data002; C:\Documents and Settings\Owner\My Documents\Set Up Files\card gaMes; Archive contains infected objects;;

freecellsetup.exe; C:\Documents and Settings\Owner\My Documents\Set Up Files\card gaMes;Container contains infected objects; Moved.;

zlsSetup_70_470_000_en.exe/Z4BARSPINSTALL.EXE/data001\data001; C:\Documents and Settings\Owner\My Documents\Set Up Files\zone alarm\zlsSetup_70_470_000_en.exe/Z4BARSPINSTALL.EXE/data001; Adware.MyWebSearch.22;;

data001; C:\Documents and Settings\Owner\My Documents\Set Up Files\zone alarm; Container contains infected objects;;
Z4BARSPINSTALL.EXE; C:\Documents and Settings\Owner\My Documents\Set Up Files\zone alarm; Container contains infected objects;;

zlsSetup_70_470_000_en.exe; C:\Documents and Settings\Owner\My Documents\Set Up Files\zone alarm; Archive contains infected objects; Moved.;

zlsSetup_70_483_000_en.exe/Z4BARSPINSTALL.EXE/data001\data001; C:\Documents and Settings\Owner\My Documents\Set Up Files\zone alarm\zlsSetup_70_483_000_en.exe/Z4BARSPINSTALL.EXE/data001; Adware.MyWebSearch.22;;

data001;C:\Documents and Settings\Owner\My Documents\Set Up Files\zone alarm;Container contains infected objects;;
Z4BARSPINSTALL.EXE;C:\Documents and Settings\Owner\My Documents\Set Up Files\zone alarm;Container contains infected objects;;

zlsSetup_70_483_000_en.exe;C:\Documents and Settings\Owner\My Documents\Set Up Files\zone alarm;Archive contains infected objects;Moved.;

NPZoneSB.dll;C:\Program Files\Mozilla Firefox\plugins;Adware.MyWebSearch.22;Moved.;

NPZONESB.DLL;C:\Program Files\ZoneAlarmSB\bar\1.bin;Adware.MyWebSearch.22;Moved.;

aolcinst.exe\core.cab\GTDOWNAO_106.ocx;D:\i386\Apps\App13914\comps\coach\aolcinst.exe;Adware.Gdown;;

aolcinst.exe;D:\i386\Apps\App13914\comps\coach;Archive contains infected objects;Moved.;

#10 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:00 AM

Posted 20 January 2010 - 06:25 AM

To complete the instructions to date, you just need to do Step 5 and post the log.

Things are looking good, with nothing too much to worry about having showed up since your first full scan with MBAM.
These are the items that I was most concerned about (all showed up in the early MBAM Full Scan):
Registry Keys Infected:
all those showing the presence of Backdoor.Bot

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
------------------------------

Please let me know how your machine seems to be running now.
Are there any signs of a remaining problem?


------------------------------

Re: my question "How many user accounts do you have on the system?"
I was referring to your computer, not the BleepingComputer Forums: Sorry about the confusion.
Please let me know the answer.

-------------------------------------------

Please scan your computer with ESET OnlineScan
  • Hold down the <Ctrl> key and click on the link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your Desktop.
    • Double click on the Posted Image icon on your Desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
    Please be patient as this can take some time.
  • When the scan completes, click Posted Image
  • Click Posted Image and save the file to your Desktop as "ESETScan".
    Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  • Click the Posted Image button.
  • Click Posted Image

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#11 balfiecat

balfiecat
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alaska
  • Local time:03:00 PM

Posted 20 January 2010 - 08:12 AM

Talked to my son a little tonight (google chat) :

you can run scans through ubuntu if you use avast or something sure (I might try on his old HP)
what you might want to do is shrink your xp partition down (he might as well be speaking Greek) and install ubuntu on there
so you can dual boot
and it is a very nice 23" Hanspree LCD

(he sent me a link and I think it is HF237- whatever, it is better than what I have!)

Things are looking good, with nothing too much to worry about

:thumbsup:

Those files you listed - do they indicate that someone was accessing info on my computer such as account numbers and passwords?

Your clarification made me laugh. I feel pretty silly. Really had me taxing my brain! :flowers: There is owner administrator and guest.

Well I just tried switching users and it only showed guest and owner and in bottom left of screen it said to turn off 'son's name' and 'my name' - I'm not sure if it is somehow set up so that we have separate accounts? I do not even have a log in password and when in safemode one of the times I went into admin and there was almost nothing there - I thought maybe it would be better to run scans from there.

I will likely not be back until early tomorrow night Alaska time (it 3:30 am now and I have volunteer work most of tomorrow). I won't run ESET until tomorrow either -I am having a hard time thinking.

Am I supposed to both run the online scan and download the other and run it? I use FireFox. .

My computer has been performing much better ever since whichever scan removed the cryptor and so many of those infected system files - a 90% reduction in CPU usage, but then I got emails from the only place I pay via internet - someone trying to get my password reset - so there must have been someone getting access still I think.But when i see those files you listed I think getting rid of those must have taken care of that.

Actually I have not tried to use the pc much except to run scans until tonight. And then Ive only been reading on Firefox, installing some fonts and chatting on gmail a wee bit. I do still find it slows down quite a bit but then is okay again and nothing like it was and it seems to be related to Firefox which eats huge amount of resources much of the time. I saw a thread about Firefox using memory and I am going to spend some time there reading one day soon. Now that the bugs are gone i will probably reinstall Google chrome. i think the infections must have been causing the updating event errors.

I think my computer is cured! :trumpet: I am so relieved! Thank you so much for your help...I am going to do the ESET though. And when i am feeling courageous ill be back to bleepingcomputers to deal with my son's old PC and the My Book (it has files from 3 old computer hard drives dating back to Windows 95 ) I am very glad you suggested i come here. This will be my first stop in the future.

#12 balfiecat

balfiecat
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alaska
  • Local time:03:00 PM

Posted 20 January 2010 - 08:15 AM

Do I need to turn off Resident Shield again? I turned it on after Dr Web

#13 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:00 AM

Posted 20 January 2010 - 09:39 AM

The instructions for Eset OnlineScan are written for users of "alternate" (that means Firefox, in your case) browsers. Simply follow the instructions (yes, "download the other and run it").

I suggest that you do disable AVG's resident shield when running any other malware removal tool. (Don't forget to enable afterwards!)

Don't be too hasty/too confident about our progress just yet: You just never know what might turn up as we keep digging around in your computer. We have a few more things to do yet! So far, things are looking better than I was anticipating, so that is a good sign. But, I am still going to want to check for rootkits before sending you on your way with a clean bill of health. Let's keep plugging away at this.

"Backdoor.Bot" is a worry. It is possible that information from your computer has been stolen. If you have been conducting any financial affairs from your computer, it may be advisable to take the precaution of informing the financial institutions and changing passwords from a known clean computer (easy to say if you are able to do it!). Already you have become aware of one possibly related incident, so it may indeed have happened. I suggest that you take all the precautions necessary to protect yourself.

REMINDER: Your first job is to update MBAM, run a "Full Scan", remove whatever is found, and post the log here.

Edited by AustrAlien, 20 January 2010 - 09:40 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#14 balfiecat

balfiecat
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alaska
  • Local time:03:00 PM

Posted 20 January 2010 - 01:46 PM

REMINDER: Your first job is to update MBAM, run a "Full Scan", remove whatever is found, and post the log here.

Thank you! I am glad you picked up that I seemed to have forgotten. I never actually comprehended that part of your instructions :thumbsup: I was here to get the EST instructions again and would have gone on without running MBAM.

I have noticed i sometimes have perculiar mouse behavior - seems to be disconnecting and reconnecting (USB Optical) and once in awhile my keyboard will miss keystrokes - sometimes many of them. Last night i was frequently having the mouse problem and this morning the mouse just stopped responding. I assumed these were hardware issues but decided to mention them just in case they could be symptomatic of something

When you reminded me of MBAM I reread instructions beginning with the TFC (humorously - or not so humorously depending on one's perspective- I had missed it again in the other post)and I do not recall ever running TFC, but I checked and it is on my desktop so I guess i did.

Well I am going to start MBAM !

Oh, I did call the bank and GCI right after I got those emails about my password. The bank would not change my online password for me and i still have not changed it, but they did for my ATM and GCI changed my online password by phone since my own computer was not safe. I had not remembered Peter's computer at that time, but even after i got it set up I was afraid to use it because the previous users were not diligent (at all) about security and didn't even have anti virus software installed for a long time and had disabled Zone Alarm. I ran MBAM on it but it showed nothing and that in itself made me suspicious Makes me laugh at my attitude - but those boys were not careful, had limewire, aries and allowed file sharing, downloaded videos games and music, etc etc. I just cannot believe there is nothing at all on that computer! My mouse quit again. the red light isnt even on. Each time i unplug and replug it in and it works again. I will ask the place i volunteer for if I can use their computer to change it I guess.

Again, thank you!

#15 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:00 AM

Posted 20 January 2010 - 08:18 PM

I am glad you picked up that I seemed to have forgotten. I never actually comprehended that part of your instructions

I am a quick learner !

TFC (Temporary File Cleaner) is used to clean up some junk before the scans are run. It makes the scans a little quicker. You can use it any time that you wish, if you don't already have such a utility. ATF Cleaner is another one commonly recommended on this forum, and CCleaner is another widely used clean-up utility (one that I use).

Re: mouse and keyboard
*Assuming that they are connected with wires to the computer's USB ports, and not operated with battery power with the batteries going flat?
Watch your CPU usage at the time of the "delayed reaction". Keep the Task Manager window open on your Desktop, and keep an eye on what is happening with the CPU usage. If it is sitting on 100%, then you will see the symptoms that you have described. In other words, it is busy doing something else, and will get around to what you want it to do when it has some spare time!!!

Edit: I just noticed again, this little bit that you tacked on "My mouse quit again. the red light isnt even on. Each time i unplug and replug it in and it works again." so am thinking what I have written above probably is not applicable. Do you have a spare PS2 mouse and keyboard ?? If not, try to scavenge as spares. (PS2 type is the small round plug, as opposed to the USB type with the little flat plug. The PS2 ports are often coloured green and purple, and always at the rear of the box.)
My own opinion is that USB is nice, and it is often convenient, but is not ever to be considered reliable.

I think you should really try to get a "spare" computer running, to use in the event that your "main" computer has a problem. It seems you are half way there already. You should know the drill by now to make a good start on checking for malware. Then update > update > update .... Windows, then install your favourite anti-virus application.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users