Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Access to Router Blocked, System Restore Inop


  • This topic is locked This topic is locked
5 replies to this topic

#1 RayS

RayS

  • Malware Study Hall Senior
  • 2,280 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:31 PM

Posted 03 June 2010 - 06:18 AM

Orange Blossom advised me to describe my problem and post DDS and GMER logs here.

I already posted the description on the "Am I Infected Forum", but I'm repeating it here for your convenience. Below that I am including the DDS log, but the PC froze at the completion of the GMER scan so I can give you only some of the info I copied from the GMER log by hand, These items follow in sequence:

Description:

Time Stamper:: 2010-06-02 4:36 AM Wednesday

To All,

Running WinXP Pro SP3.

The long message below tells you how I got to this point, but the most recent problem is that I get the following when I try to DISABLE System Restore, ",,,error trying to enable/disable one or more drives. Reboot and try again". Needless to say, I have tried rebooting multiple times. The Registry tweak at http://www.kellys-korner-xp.com/xp_tweaks.htm on line 278 called, "Restore/Enable system restore" is no help. This is a new problem that started tonight.


On May 15th, I unintentionally allowed an EXE file to download, and then mistakenly launched it. WinPatrol alerted me right away that a BHO was trying to install on one of my browsers. MSIE v8.0 and Firefox v3.6.3 were both running, and I didn't notice which browser was being targeted. I denied access to the BHO via WinPatrol but a different WinPatrol warning popped up immediately. I quickly deleted the EXE file, but the damage had already been done.

I ran scans with AVG Free and Malwarebytes. the following were found:

1886083054.EXE Trojan horse SHEUR3.WHA Process name BSQMCL.EXE all in \Local Settings\Temp

Win32\ALVREON Trojan generic17.cafo

Also identified Windows\Temp\00003a18 and Windows\Temp\00007392

Also suspicious in Startup Programs RHQQF in C:\Program Files\Windows Services\SVCHOST.EXE and an un-named MSIE helper in C:\Windows\System32\JE126U3.DLL This same DLL is listed as an entry in the Registry in HKLM\Software... (I can give you the exact key location if you need it).

I allowed AVG Free and Malwarebytes to quarantine these threats. Then I deleted the quarantined items and rebooted.

A short time later, AVG Resident Shield quarantined Windows\system32\msihost.exe labeled as Trojan SHEUR3XZ0 and www1.cosmosave1.com threat analysis type 1007

I deleted the quarantined items and rebooted.

The next day, AVG said the following accessed file is infected and it said "Threat was blocked": www1.zoneofsafe29-pr.net/?
The process name was Svchost.exe and Process ID was 1280.

During another whole system scan with both AVG Free and Malwarebytes, MBAM quarantined the following Registry Key: HKEY_Current.USER\Software\fouked-U

I deleted the quarantined items, disabled System Restore, and rebooted into Safe Mode.

While in Safe Mode, during another whole system scan, MBAM quarantined the following:
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\explorer\IDSTRF and it identified the vendor as malware.trace

On May 18, I consulted several sources including this forum. Then I disabled System Restore I ran TFC.EXE (temporary file cleaner) and installed SUPERAntiSpyware Free and, in Safe Mode, ran a whole system scan. SAS quarantined TROJAN/AGENT/Gen-FakeAV

I deleted that threat, and PC appeared to run normally until May 19 SAS quarantined the same trojan.

A second SAS scan on 5/19 quarantined TROJAN/AGENT/Gen-FakeAlert

A third SAS whole system scan on 5/19 quarantined TROJAN.Dropper/sys-NV

In all cases, I deleted quarantined items.

Subsequent scans on 5/19 using SAS, MBAM, and AVG found nothing.

On 5/23 while the PC was idle with both browsers open to well-known astronomy websites, AVG Resident Shield said it had blocked www2.userguardzz1.com? in Svchost.exe Process ID was 1280.

Again, I ran TFC.EXE in Safe Mode with System Restore OFF. I ran all three scanners again but they found nothing.

All appeared normal until 5/29 when AVG Resident Shield blocked VIP-1127.com Threat name is Exploit Neosploit Toolkit (Type 1109) in Windows Explorer Process ID is 4572

All three scanners still find nothing.

On June 1, with both browsers running but idle, WinPatrol said Microsoft Bookmark Manager wanted to install itself. I denied access, but the pop-up kept returning. I closed both browsers, but Bookmark Manager pop-up continued. I ran TFC.EXE again but after re-boot, I have lost all internet connectivity on that PC. (I'm using a different PC now.)

Device Manager says NVIDIA nForce Networking Controller is working normally, but in DOS Mode, IPCONFIG cannot see the router. When I try IPCONFIG /renew it returns error, "RPC server unavailable". The monitor light on the network adapter card is steady green, and I swapped the cable from PC to router with a cable that had been running normally. Two other desktop PCs are connected to the router by Ethernet cable. A laptop is connected wirelessly. Those computers have normal internet connections.

I just rebooted the sick PC into Safe Mode and ran TFC.EXE again. I then rebooted into Safe Mode and ran MBAM and SAS on the whole PC again, but, this time, I did not close System Restore. SAS quarantined the following: Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17A0D303-F1F7-4B27-ADB1-E577D7A89A15}\RP1\A0000040.DLL

I deleted the threat, and rebooted normally. The PC still has no connectivity.

I used WinPatrol v17.0.2010 to examine all the IE Helpers. I found an un-named helper at HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar. I deleted that helper and rebooted but no joy.

I doubt this is a hardware problem because I had perfect connectivity right up until I rebooted for the first time tonight. Three other PCs are still connected to each other via the LAN, and they have good internet connections.

What do you recommend as my next step?

Thanks for your help,

RayS

*****



DDS (Ver_10-03-17.01) - NTFSx86
Run by RAS at 23:06:23.28 on 06/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07

============== Running Processes ===============


============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://news.google.com/
uWindow Title =
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [WinPatrol] c:\program files\winpatrol\winpatrol.exe -expressboot
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\ras\startm~1\programs\startup\file-ex.lnk - c:\program files\file-ex 3\FileEx.exe
StartupFolder: c:\docume~1\ras\startm~1\programs\startup\freeba~1.lnk - c:\program files\freebar\FreeBar.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mups.lnk - c:\program files\belkin bulldog plus\MUPS.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: asterism.org\www
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195887477046
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1224895486546
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {9E065E4A-BD9D-4547-8F90-985DC62A5591} - hxxp://192.168.1.105/PlayerPT.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://192.168.1.193/xplugLite.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D64CF6D4-45DF-4D8F-9F14-E65FADF2777C} - hxxp://www.dvrstation.com/pdvratl.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ras\applic~1\mozilla\firefox\profiles\d3skf7th.default\
FF - prefs.js: browser.startup.homepage - hxxp://clearstation.etrade.com/
FF - component: c:\documents and settings\ras\application data\mozilla\firefox\profiles\d3skf7th.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\ras\application data\mozilla\firefox\profiles\d3skf7th.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
FF - component: c:\documents and settings\ras\application data\mozilla\firefox\profiles\d3skf7th.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - component: c:\documents and settings\ras\application data\mozilla\firefox\profiles\d3skf7th.default\extensions\{eecba28f-b68b-4b3a-b501-6ce12e6b8696}\platform\winnt_x86-msvc\components\winprocess.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-06-03 03:05:28 0 ----a-w- c:\documents and settings\ras\defogger_reenable
2010-06-02 07:17:34 0 d-----w- c:\documents and settings\ras\Scanner Logs
2010-06-01 19:58:48 7106 ----a-w- c:\windows\system32\thqvmk
2010-06-01 19:58:48 64512 ----a-w- c:\windows\system32\klgd.bmp
2010-05-26 10:55:26 0 d-----w- c:\program files\HashMyFiles
2010-05-19 09:56:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-19 09:56:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-19 09:56:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-18 08:40:00 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-18 04:37:56 175104 ----a-w- c:\docume~1\ras\applic~1\SQLite3.dll
2010-05-18 03:55:27 0 d-----w- c:\program files\WindowsServices
2010-05-05 22:55:07 0 d-----w- c:\program files\Cielv30

==================== Find3M ====================

2010-04-22 12:40:54 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-13 14:58:23 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-11 01:17:36 39424 ----a-w- c:\windows\zipinst.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2008-09-19 08:05:00 312517 ----a-w- c:\program files\LViewPro 1.D2.zip
2006-06-23 22:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe
2003-10-20 05:04:54 208752 ----a-w- c:\program files\INSTALL.LOG
2002-09-26 23:14:12 650 ----a-w- c:\program files\readme.txt
2002-01-02 18:28:00 87771 ----a-w- c:\program files\changes.txt
2000-01-01 05:00:02 6414 ----a-w- c:\program files\scoring.txt

============= FINISH: 23:07:43.76 ===============




Problem with GMER Scan:

Time Stamper:: 2010-06-03 6:45 AM Thursday

The GMER scan ran for over six hours. I didn't see any completion message, but the names of files being scanned that appears near the bottom of the screen remained blank for about ten minutes, so I assumend it was done. When I pressed the "Save" button, I was not offered a screen on which to indicate location. Instead, I saw an hourglass that stayed on screen indefinitely. The PC was frozen. Not even Task Manager would launch.

The GMER log showed 20 lines of text labeled as follows:
.rsc (1 instance)
.TEXT (5 instances)
Attached D... (2 instances)
Device (1 instance)
Attached D... (3 instances)
REG (5 instances)
File (2 instances)

Here is some of the GMER log that I copied by hand:

c:\windows\system32\drivers\DMIO.SYS
c:\windows\system32\drivers\ATAPI.SYS
c:\windows\system32\drivers\nv4_mini.sys
c:\windows\system32\drivers\searchindexer.exe[2220]kernel32.dll\writefile
c:\windows\explorer.exe[3180]ntdll.dll!ntprotectvirtualmemory
c:\windows\explorer.exe[3180]ntdll.dll!writevirtualmemory
c:\windows\explorer.exe[3180]ntdll,dll!kiuserexceptionsdispatcher

I have cycled power OFF/On, and have begun a new GMER scan. When it finishes, I'll try the "Copy" button, and maybe capture the log that way. Please tell me if that might be helpful. Tell me also if there is some particular info you would like me to hand-copy from the next log.

Please tell me whether you consider it "bumping" if I send you results of the later scan?

Many thanks for your help.

RayS

****


I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:31 PM

Posted 06 June 2010 - 11:53 AM

Hello RayS

Welcome to BleepingComputer smile.gif
==========================

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
========================
Download TDSSKiller and save it to your Desktop.
  • Right click on the file and choose extract all extract the file to your desktop then run it.
  • If prompted to restart the computer type in Y then it will restart.
  • Or if you are prompted with a hidden service warning do go ahead and delete it.
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log
================
Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 RayS

RayS
  • Topic Starter

  • Malware Study Hall Senior
  • 2,280 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:31 PM

Posted 06 June 2010 - 07:22 PM

QUOTE(kahdah @ Jun 6 2010, 12:53 PM) View Post
Hello RayS
<snip>

One or more of the identified infections is a backdoor trojan or rootkit.

<snip>

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS.



Hi kahdah,

I'm seriously considering reformat and reinstall. Meanwhile, I have been transferring data files to a different PC. These are mainly MS Office files (DOC, PPT, MDB, and XLS) plus HTML and TXT files and several gigs of photos and videos. I'm not transferring any executables such as EXE, DLL, COM, or BAT files. What is the chance that I am transferring trojan or rootkit to the new PC?

The infected machine is running WinXP Pro. The new one runs Win7 Pro 64-bit and it is protected with WinPatrol, Spybot Search & Destroy, and MS Security Essentials. I also regularly scan with SuperAntiSpyware.

I haven't detected any suspicious activity on the new PC. Please advise as to safe procedures for transferring my data. I'm currently using Windows Explorer to copy onto a thumb drive.

My internet access is through a NAT router connected to a cable modem. Please advise as to an effective firewall. Do I need separate versions of the firewall if I install it on the new PC and on the old PC after reformat and re-installation of WinXP Pro

Please don't close this thread just yet. I'll let you know what I decide about reformatting by late Monday.

Thank you for your help,

RayS

I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:31 PM

Posted 07 June 2010 - 06:44 AM

You will be safe transferring data a like that it isn't a worm or virus it is a rootkit so it infects a system driver and brings in more malware.
A firewall that is built in is fine for Win7 64 bit and it is 64 bit so it has a less likely chance of getting infected anyway.

Let me know and we will continue.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 RayS

RayS
  • Topic Starter

  • Malware Study Hall Senior
  • 2,280 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:31 PM

Posted 08 June 2010 - 05:14 AM

QUOTE(kahdah @ Jun 7 2010, 07:44 AM) View Post
You will be safe transferring data a like that it isn't a worm or virus it is a rootkit so it infects a system driver and brings in more malware.
A firewall that is built in is fine for Win7 64 bit and it is 64 bit so it has a less likely chance of getting infected anyway.

Let me know and we will continue.



Hi kahdah,

I've decided to neuk my PC. I'm still transferring data as I said before -- MS Office files (DOC, PPT, MDB, and XLS) plus HTML and TXT files and several gigs of photos and videos. But when I'm done, I will reformat and reinstall from scratch.

Your comment about 64-bit systems has made me curious. Are you saying the chance of infection is lower because the bad boys haven't written extensively for 64-bit systems yet, or are you saying that 64-bit systems are inherently more secure?

Thank you for your help.

RayS

I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:31 PM

Posted 08 June 2010 - 07:04 AM

QUOTE
Your comment about 64-bit systems has made me curious. Are you saying the chance of infection is lower because the bad boys haven't written extensively for 64-bit systems yet, or are you saying that 64-bit systems are inherently more secure?
Correct they can be infected but not by a rootkit that is built for 32 bit.
32 bit drivers will not be allowed to install on 64 bit architecture.
There is no known malware yet that is coded specifically for 64 bit that I know or have seen.

You are welcome.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users