Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse SHeur3.SPF removed by AVG


  • This topic is locked This topic is locked
42 replies to this topic

#1 Rattyhammer

Rattyhammer

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:36 AM

Posted 13 July 2010 - 04:47 AM

AVG found and Removed
Trojan Horse SHeur3.SPF and Trojan Horse Cryptic.IG

Subsequent to this infection the computer will randomly freeze some times silent sometimes with a high pitch whine. Mouse arrow moves but nothing that is clicked does anything only option is a reboot using the power button


task Manager Processes checked nothing uses a great deal of memory and CPU useage low except system idle

CCleaner run no issues
Malwarebytes run - nothing found
Superspyware run - nothing found
Hijackthis scan run and log file saved
Uni blue Registry Booster purchased and run first run found 1300 plus errors after fix run all fixed, registry scan done several times since 10 or so third party errors found each time always fixed with odd locked exception (note Uni blue registry defrag never runs fullly stops after a short while error encountered) Reistry Defrag has been run in safe mode which appeared to work
Microsoft Fix it centre run - no problems found windows XP operating with SP3
Piriform speccy run no issues highlighted
replaced AVG with AVAST no virus or anything else found with AVAST scan

Friend suggested I run Combofix which I have done and log stored in my documents.

When I logged on to Bleeping Computer and read the preparation to submit a post it said not to run Combofix but as said this is already done this and it ran through without any problem. I hope running Combofix is not a major problem

I have run Defogger and DDS

I have tried to run GMER three times but computer always freezes before scan is complete, one time it Blue screen crashed with the following code:

0x00000050, 0xADFBFB30, 0x00000001, 0xAD232FA6, 0x00000000
pxtdqpod.sys
Address AD232FA6 and AD227000
Datestamp 46274f8d

Onetime the scan seemed to complete but couldn't save but I have the tmp file 62.9mb

if thats any help and the scan info extracted I tried opening the tmp with note book but no text appeared

DDS.txt as follows


DDS (Ver_10-03-17.01) - NTFSx86
Run by Mark at 16:38:03.20 on 07/07/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.1868 [GMT 1:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Mark\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sky.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = 10.150.9.3:80
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\msoffice\office\FASTBOOT.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-explorer: NoInstrumentation = 1 (0x1)
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
LSP: c:\progra~1\speedb~1\sblsp.dll
DPF: {07BC6C45-2189-4760-AC59-03BDCC051481} - hxxp://www.wayn.com/activex/WAYNImportOutlook.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://spaces.msn.com//PhotoUpload/MsnPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} - hxxp://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-31 165456]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-6-7 59240]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-6-7 166632]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-31 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-31 40384]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-2-18 54752]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-6-7 840936]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\speedb~1\videoacceleratorservice.exe -start -scm --> c:\progra~1\speedb~1\VideoAcceleratorService.exe -start -scm [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-31 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-31 40384]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S1 MpKsl8bc9445d;MpKsl8bc9445d;c:\program files\windows live safety center\MpKsl8bc9445d.sys [2010-5-9 28752]
S1 MpKslb5ecc176;MpKslb5ecc176;c:\program files\windows live safety center\MpKslb5ecc176.sys [2010-5-9 28752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2010-5-25 23456]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2010-4-10 266544]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-5-24 95024]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-10 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-07-07 15:37:42 0 ----a-w- c:\documents and settings\mark\defogger_reenable
2010-07-07 09:10:18 0 d-sha-r- C:\cmdcons
2010-07-07 08:58:53 98816 ----a-w- c:\windows\sed.exe
2010-07-07 08:58:53 77312 ----a-w- c:\windows\MBR.exe
2010-07-07 08:58:53 256512 ----a-w- c:\windows\PEV.exe
2010-07-07 08:58:53 161792 ----a-w- c:\windows\SWREG.exe
2010-07-07 08:58:44 0 d-----w- C:\ComboFix
2010-07-05 18:10:04 0 d-----w- c:\windows\system32\winrm
2010-07-05 18:09:33 0 dc-h--w- c:\windows\$968930Uinstall_KB968930$
2010-07-02 13:25:37 38848 ----a-w- c:\windows\avastSS.scr
2010-06-28 17:48:56 359585 ----a-w- c:\temp\tidyup.exe
2010-06-13 16:09:04 0 d-----w- c:\program files\Fibonacci
2010-06-09 19:29:49 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-08 22:20:14 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

==================== Find3M ====================

2010-06-14 19:22:24 95672 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-25 21:58:31 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2010-05-25 10:17:19 77568 ----a-w- c:\windows\system32\drivers\WudfPf.sys
2010-05-24 21:35:26 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-05 13:30:57 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\dllcache\atmfd.dll
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 11:43:30 41984 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-04-12 16:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2008-08-31 12:52:13 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083120080901\index.dat

============= FINISH: 16:39:17.76 ===============

Attach.txt uploaded
ARK.txt not uploaded as I never got that far as noted above

I have the Combofix log if you want it uploaded

Any help to remove malware rootkit and solve PC freeze problem would be appreciated

Rattyhammer

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:36 AM

Posted 18 July 2010 - 07:28 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    user32.dll
    ws2_32.dll
    /md5stop
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.

Please also attach the combofix log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 Rattyhammer

Rattyhammer
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:36 AM

Posted 18 July 2010 - 06:00 PM

Etavares,

Many thanks for the reply I will run the scans and submit the resultant logs

Rattyhammer

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:36 AM

Posted 18 July 2010 - 06:16 PM

OK, i'll keep an eye out for them.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 Rattyhammer

Rattyhammer
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:36 AM

Posted 19 July 2010 - 07:06 AM

Etavares

The problem still being experienced is that the computer randomly freezes it doesn't seem to be related to the number of applications running or connection to the internet


task Manager Processes checked nothing uses a great deal of memory and CPU useage low except system idle

As noted in the original posting

CCleaner run no issues
Malwarebytes run - nothing found
Superspyware run - nothing found
Hijackthis scan run and log file saved
Uni blue Registry Booster purchased and run first run found 1300 plus errors after fix run all fixed, registry scan done several times since 10 or so third party errors found each time always fixed with odd locked exception (note Uni blue registry defrag never runs fullly stops after a short while error encountered) Reistry Defrag has been run in safe mode which appeared to work
Microsoft Fix it centre run - no problems found windows XP operating with SP3
TSSDKiller run
Piriform speccy run no issues highlighted
replaced AVG with AVAST no virus or anything else found with AVAST scan

Friend suggested I run Combofix which I have done and log stored in my documents.

I have run CCleaner (cleaned out temp files etc) and Malwarebytes and Superspyware several times since and nothing found.

I have also run the Uniblue registry booster and it picks up about 10 issues which are then fixed each time

I have run the OTL and attach the two logs

I have tried to run GMER it ran for three hours and continued to run even though the computer froze but before it finished It crashed and BSOD with the following code:

STOP Driver-IRQL-NOT-LESS-OR-EQUAL
0x000000D1, 0x0000001C, 0x00000001, 0x842E500C,

I cannot find the COMBO FIX LOG its no longer in my documents maybe CCleaner deleted it so will run this again and forward the new log

Attached Files



#6 Rattyhammer

Rattyhammer
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:36 AM

Posted 19 July 2010 - 08:03 AM

New combo fix run log attached

Attached Files



#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:36 AM

Posted 19 July 2010 - 07:57 PM

Please post this file here...it should be your original run. It's important to understand what was removed before we proceed.
C:\Qoobox\ComboFix2.txt

For the GMER, please run it in safe mode with "Files" and "Sections" only checked. That will give it a greater chance of completion.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 Rattyhammer

Rattyhammer
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:36 AM

Posted 20 July 2010 - 09:38 AM

Original Combofix2.txt attached will try running the GMER in safe mode and post the result

Attached Files



#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:36 AM

Posted 20 July 2010 - 08:08 PM

Hello, Rattyhammer.

You can skip the GMER scan for now. You're infected with an MBR rootkit. We need to find out what flavor you have.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.



Step 1

Please download MBRCheck by ad_13 and save it to your desktop.

Double-click to run. A window will pop up. If it says 'non-standard' or 'infected' MBR code detected, please type 3 for Exit for now and press Enter.

It will save a logfile on your desktop that starts with MBR, then has the date, etc. Please copy and paste the contents of that log in your reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 Rattyhammer

Rattyhammer
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:36 AM

Posted 21 July 2010 - 02:41 AM


Etavares

MBR link just get 403 forbidden message

Reading the other links it looks like reformatting is the way to go

But so I know how serious the backdoor trojan is, the links said alot of adware slightly less serious are just trying to sell and my original problem was a google redirect which I managed to correct.

Before I reformat is there any way of finding out how badly I have been exposed, i.e. what the rootkit is and how serious it is in terms of info that is likely to have been available

I will disconnect this computer from the internet after this reply and check for your reply on another machine

Regards,

Rattyhammer

#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:36 AM

Posted 21 July 2010 - 07:21 AM

G2G is handling some issues right now. Try this link to run..it will diagnose the rootkit. We won't know what info was exposed...they could access anything and everything, but we'll know the infection.

Download MBRCheck from here.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 Rattyhammer

Rattyhammer
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:36 AM

Posted 21 July 2010 - 08:29 AM

Will reconnect the PC and run the download from MBRCheck when I am back home later today

When I run the scan should I also include the Segate external hard drive which has a back up of my computer (my F rive) could this also have been infected?

If I do end up Reformatting my C Drive I wouldn't want to reinfect by downloading the back up back on to the machine.

P.S. Whilst we continue on this journey I just want to say your help is much appreciated thank you

Regards,

rattyhammer

#13 Rattyhammer

Rattyhammer
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:36 AM

Posted 21 July 2010 - 08:36 AM

To add to my reply below Just to be clear my Segate external hardrive is my F Drive and has a copy of my C drive



#14 Rattyhammer

Rattyhammer
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:36 AM

Posted 21 July 2010 - 11:48 AM

MBR Log attached

Attached Files



#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:36 AM

Posted 21 July 2010 - 06:07 PM

Is your backup up to date? If it is, or you want to continue anyways let's move on.

Next, run MBR Check again.

This time, after it find a non-standard or infected MBR, type 2 for 'Restore the MBR...' and press ENTER.

At the next prompt, Type 0 (the number zero) for the physical disk to fix (matches the C:\ drive up top).

Then, type 1 to restore the Windows XP MBR.

Type "YES" to continue and press ENTER.

It shoudl say that it successfully wrote the code, then press ENTER to exit. Do so.


Next, run MBRCheck again, but press 3 to exit after it does the scan. Post the new MBR log.




If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users