Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PornoTube and similar desktop icons keep coming back


  • Please log in to reply
11 replies to this topic

#1 Jeebus

Jeebus

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow, Scotland
  • Local time:10:51 PM

Posted 11 April 2010 - 11:08 AM

Hi there, I've been given a Dell Dimension 5150 with Windows XP Home Edition to try and fix. Originally it was simply a blue screen error saying "Stop:c0000135 - user32.dll not found", so I replaced that with a copy from a Windows XP CD. Once the computer booted to the desktop, I noticed three porn site shortcuts including porn icons.

First of all I installed Malwarebytes and updated it, and then ran a scan in both normal and safe modes. It detected a lot of infections. When I tried removing these, I was told that "Registry Editing has been disabled by your system administrator". I solved this by downloading Doug Knox's regtools.vbs script. I then re-ran the Malwarebytes scans and this time it seemed to be able to remove all the infections. After restarting the computer, the icons were gone. However, a few minutes later they suddenly reappeared! I started to get worried at this point.

Using a combination of msconfig, HijackThis, AutoRuns and ProcessExplorer, I disabled all the suspicious-looking services and startup entries I could find. There was a lot of AtXX.job entries in the Scheduled Tasks window which I removed. However the icons still kept coming back.

Last night I downloaded ComboFix (I know it says at the top "ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use" but this was before I looked at this section of the site), and tried following the instructions on this site. When I tried running it the first time, it kept saying that ComboFix had been infected and wouldn't run, I had to rename the filename to total gibberish to let it run. ComboFix reported almost immediately that it had detected an attempt to interfere from "C:\Documents and Settings\Jacqui\LocalSettings\ApplicationData\Windows Server\fmrbow.dll" and had disabled it. ComboFix reported that it had detected rootkit activity and restarted the computer several times. I crossed my fingers and hoped it had removed the cause finally, but the icons are still coming back.

I've also tried following the instructions in http://www.bleepingcomputer.com/forums/ind...t&p=1575979 by using ATX Cleaner and SuperAntiSpyware to no avail. It's picked up a bunch of infections but the icons are still coming back.

I'd rather not have to resort to backing up, nuking and reinstalling Windows, as the woman who owns the computer has all of her teaching resources and personal files on this computer and I'm worried they might be infected also, as all the programs I'm using are finding infections all over the computer, in Documents and Settings, system32, Program Files and everywhere else. I wouldn't want to accidentally back up an infected file and have it spread onto a fresh install.

I'm at my wit's end here, I've never encounted an infection this bad before. Any help would be greatly appreciated.

Thanks

Edited by Jeebus, 11 April 2010 - 11:13 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:51 PM

Posted 11 April 2010 - 12:40 PM

Please post the SAS scan log..

Run these FixExe.reg

FixExe.reg
....click Run when the box opens

RKill....

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
Do not reboot your computer after running rkill as the malware programs will start again.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Jeebus

Jeebus
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow, Scotland
  • Local time:10:51 PM

Posted 12 April 2010 - 09:09 PM

Hi, sorry it's took me a while to respond, been rather busy lately, I appreciate the help though.

I've ran FixExe.reg and Rkill, Rkill doesn't terminate anything other than itself in Safe Mode according to its log.

Here are the logs you requested.

------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/11/2010 at 04:33 PM

Application Version : 4.35.1002

Core Rules Database Version : 4792
Trace Rules Database Version: 2604

Scan type : Complete Scan
Total Scan Time : 01:08:10

Memory items scanned : 260
Memory threats detected : 0
Registry items scanned : 5687
Registry threats detected : 4
File items scanned : 26014
File threats detected : 14

Adware.Vundo/Variant-MSE
[aholbs] C:\WINDOWS\SYSTEM32\MSEPDLKP.DLL
C:\WINDOWS\SYSTEM32\MSEPDLKP.DLL
[qyfvwm] C:\WINDOWS\SYSTEM32\MSEJFZRL.DLL
C:\WINDOWS\SYSTEM32\MSEJFZRL.DLL
C:\WINDOWS\SYSTEM32\23B44F0EEA0D461D033981257ECF714B.SZCPF

Trojan.Agent/Gen-Alway[IE]
[Adobe_Reader] C:\PROGRAM FILES\INTERNET EXPLORER\WMPSCFGS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\WMPSCFGS.EXE

Trojan.Downloader-SVCHost/Fake
[mslivemsn] C:\PROGRAM FILES\WINDOWS NT\ACCESSORIES\SVCHOST.EXE
C:\PROGRAM FILES\WINDOWS NT\ACCESSORIES\SVCHOST.EXE

Rogue.ProtectionSystem
C:\Program Files\Protection System

Trojan.Agent/Gen-FraudLoad[Crit]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000040.EXE

Trojan.Agent/Gen-Frauder
C:\WINDOWS\SYSTEM32\3695337.EXE
C:\WINDOWS\SYSTEM32\5991327.EXE
C:\WINDOWS\SYSTEM32\6099054.EXE
C:\WINDOWS\SYSTEM32\6376001.EXE
C:\WINDOWS\SYSTEM32\8525507.EXE

Trojan.Agent/Gen-FraudAlert
C:\WINDOWS\SYSTEM32\D.BIN

Adware.Vundo/Variant-MSFake
C:\WINDOWS\SYSTEM32\MSWINSCK.OCX

------------

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3983

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

13/04/2010 03:19:20
mbam-log-2010-04-13 (03-19-20).txt

Scan type: Quick scan
Objects scanned: 129067
Time elapsed: 4 minute(s), 24 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 3
Registry Keys Infected: 1
Registry Values Infected: 8
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 21

Memory Processes Infected:
C:\WINDOWS\Temp\VRT1.tmp (Spyware.OnlineGames) -> Unloaded process successfully.
C:\Program Files\Windows NT\Accessories\svchost.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Windows Server\eeyewy.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Windows Server\eeyewy.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows Server\eeyewy.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\exec (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mslivemsn (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Windows Server\eeyewy.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Windows Server\eeyewy.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\VRT1.tmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows Server\eeyewy.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Fonts\services.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1580301.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1861318.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6506448.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\d.bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ms.bin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\w.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jacqui\Local Settings\temp\ctv263 .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\VRT6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\VRT7.tmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\js.mui (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jacqui\Local Settings\temp\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Windows NT\Accessories\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jacqui\Local Settings\Application Data\Windows Server\eeyewy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Windows Server\eeyewy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Adobe\acrotray .exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jacqui\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

--------------------

After rebooting into normal mode, I ran Rkill again and the following result was displayed.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Jacqui on 13/04/2010 at 3:24:26.


Processes terminated by Rkill or while it was running:


C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\97.exe
C:\Documents and Settings\Jacqui\Desktop\rkill.com


Rkill completed on 13/04/2010 at 3:24:29.

Edited by Jeebus, 12 April 2010 - 09:26 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:51 PM

Posted 12 April 2010 - 09:30 PM

Ok, the desktop is normal now?

Let's run an online scan and see how it is after that..
ESET
Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to start. (please be patient as the scan could take some time to complete)
  • If offered the option to get information or buy software. Just close the window.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
  • Click Posted Image > Run..., then copy and paste this command into the open box: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad. Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Jeebus

Jeebus
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow, Scotland
  • Local time:10:51 PM

Posted 12 April 2010 - 09:40 PM

When I try to access the Eset online scanner from that machine, internet explorer attempts to connect to it with no success and eventually redirects to a Dell search results via Google page, as if it's a non-existant URL, but I can access that site fine from any other computer. It's also doing the same for several other antivirus sites such as MSE and Symantec. I've checked the hosts and lmhosts files and there's no redirects set in those. The infected machine can access all normal sites such as Google and BBC.co.uk fine, it's only antivirus websites that are refusing to load on that machine and that machine only.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:51 PM

Posted 12 April 2010 - 09:45 PM

Ok try it this way.
Please read and follow all these instructions very carefully.
  • Please download GooredFix and save it to your Desktop.
  • Double-click GooredFix.exe to run it.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Run RKill....

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
Do not reboot your computer after running rkill as the malware programs will start again.



Try ESET again.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Jeebus

Jeebus
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow, Scotland
  • Local time:10:51 PM

Posted 12 April 2010 - 09:50 PM

IE still won't connect to eset

Here's the GooredFix log

--------

GooredFix by jpshortstuff (08.01.10.1)
Log created at 03:47 on 13/04/2010 (Jacqui)
Firefox version [Unable to determine]

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{3E1D7D04-644C-4341-B337-EC0234E9304A} -> Success!
Deleting C:\Documents and Settings\Jacqui\Local Settings\Application Data\{3E1D7D04-644C-4341-B337-EC0234E9304A} -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{2FB67AFD-5AD3-4E91-B063-94501907E5DB} -> Success!
Deleting C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{2FB67AFD-5AD3-4E91-B063-94501907E5DB} -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{1A519EAB-12BA-41DB-9B3F-83F4A5A406F9} -> Success!
Deleting C:\Documents and Settings\Martin\Local Settings\Application Data\{1A519EAB-12BA-41DB-9B3F-83F4A5A406F9} -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{2FDD9EC5-8794-4486-AF95-02D07B68671C} -> Success!
Deleting C:\Documents and Settings\Matthew\Local Settings\Application Data\{2FDD9EC5-8794-4486-AF95-02D07B68671C} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [09:55 08/01/2009]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [02:08 07/08/2009]

-=E.O.F=-

Edited by Jeebus, 12 April 2010 - 09:51 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:51 PM

Posted 12 April 2010 - 09:54 PM

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Jeebus

Jeebus
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow, Scotland
  • Local time:10:51 PM

Posted 12 April 2010 - 10:01 PM

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3983

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

13/04/2010 04:01:57
mbam-log-2010-04-13 (04-01-57).txt

Scan type: Quick scan
Objects scanned: 130428
Time elapsed: 4 minute(s), 38 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 1
Registry Keys Infected: 12
Registry Values Infected: 13
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
C:\WINDOWS\system32\w.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\PereSvc.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\Program Files\Windows NT\Accessories\svchost.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\BtwSvc.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsvc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\IEBarProperties (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\peresvc (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe_reader (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mslivemsn (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\buildw (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\firstinstallflag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udpe (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mpe (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\w.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\BtwSvc.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ms.bin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\d.bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\js.mui (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jacqui\Local Settings\temp\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Program Files\Windows NT\Accessories\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\PereSvc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jacqui\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Edited by Jeebus, 12 April 2010 - 10:03 PM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:51 PM

Posted 12 April 2010 - 10:29 PM

Ok this is good and bad.. Good removal but bad if you do banking etc... here.
You needed to reboot to complete that malware removal.
Its late here so I will look back tomorrow.



One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


I guess if you want too clean our next step is a long deep scan with Drweb-cureit

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Edited by boopme, 12 April 2010 - 10:30 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Jeebus

Jeebus
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow, Scotland
  • Local time:10:51 PM

Posted 12 April 2010 - 10:41 PM

Before I decide whether or not to nuke and reinstall, is it possible that her microsoft word/powerpoint/excel etc. files will be infected? Or does this type of trojan only target executable-type files?

I ask only because the owner of the computer wants to save her teaching materials if possible but I wouldn't want to back them up only for the files to reinfect the machine.

Thans for all the help so far, it's much appreciated.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:51 PM

Posted 12 April 2010 - 10:49 PM

Here are my reformatting instructions to halp you decicide. It should answer your question.

Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech
Windows XP: Clean Install

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.

==============================

2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.

Since we don't know exactly which infections we're dealing with here, we should take some precautions before we attempt to move files from the infected machine. Run the following on your clean computer, and make sure you insert your flash drives at the prompt.
Download and Run FlashDisinfector

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users