Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Resistant Infection


  • This topic is locked This topic is locked
5 replies to this topic

#1 Minstral

Minstral

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 12 August 2010 - 07:47 AM

Hello,

I am helping a friend clean up his computer. The computer is running XP home. When using the internet, search results and pages other than the home/email page are redirected to random sites.

I installed Malwarebytes' Anti-Malware on the computer. After installation, Malwarebytes would not run. I reinstalled into a different directory than the default. Malwarebytes still would not run. After renaming mbam.exe, Malwarebytes would run. After multilple scans, both quick and full, Trojan.DNSChanger keeps appearing in the results. I have not had a scan without at least 1 infection being reported.

I decided to uninstall and reinstall Malwarebytes' Anti-Malware into the default directory. After installation, Malwarebytes would not run as mbam. When I renamed mbam, Malwarebytes ran. I was unable to perform the update on the new installation. When I tried, I received an error message. The newly installed version was 4052 and dated 4/29/2010. I ran a quick scan without the update and found Trojan.DNSChanger on the system again. After rebooting, I tried to update again. This time, the update worked. Malwarebytes is now at version 4422, dated 8/12/2010. Currently, the computer is running a full scan.

Also, I receive 2 RUNDLL errors on startup. One is for C:\WINDOWS\ipfxscag.dll. The other is for C:\WINDOWS\abacelotefcao.dll. I am guessing that these are from previously cleared infections, but are still in the registry. I can fix the registry, but would like to get rid of the resistant infection first.

By the way, I am writing this message from my clean computer. The infected computer is currently disconnected from the internet. I only plug the infected computer onto the network when I need to update Malwarebytes.

Any help you can give is appreciated.

Thank you,
Minstral

BC AdBot (Login to Remove)

 


#2 Minstral

Minstral
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 12 August 2010 - 09:38 AM

I have some new information. Well, actually, it is the regular pattern of what I have been seeing. The full scan of Malwarebytes finished. Trojan.Agent in the C:\WINDOWS\System32\ernel32.dll file was found. I cleaned it and rebooted. I am running another Malwarebytes full scan. If the pattern continues, Trojan.DNSChanger will be found in this scan.

Minstral

#3 Minstral

Minstral
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 12 August 2010 - 06:19 PM

The latest full scan is finished on the infected computer. As expected, Trojan.DNSChanger is back. Trojan.Agent is also still on the system. The Trojan.Agent infection sometimes skips a turn. Trojan.DNSChanger has been an every other scan listing.

Minstral

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:21 AM

Posted 13 August 2010 - 09:49 PM

Hello,

Please follow the instructions in ==>This Guide<== starting at Step 6.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Orange Blossom :thumbsup:

Edited by Orange Blossom, 13 August 2010 - 09:50 PM.
Removed the echo. ~ OB

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 Minstral

Minstral
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 14 August 2010 - 12:05 PM

Hello Orange Blossom,

I ran the requested scans and placed the log files in a new topic in the requested forum.

If you would like to see the continuation of this saga, click here.

Thank you for your help,

Minstral

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:21 AM

Posted 14 August 2010 - 05:59 PM

Hello,

Now for the hard part: waiting.

Now that you have posted a log, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users