Malware Disables Ctrl+Alt+Del Command

Department SOP is to remove the suspected HD and Slave it to a known good Bench PC then update/run McAfee AV, Malwarebytes and Spybot S&D at least 2x. If that doesn’t do it I just wipe it (NOT FDisk & Format... I mean WIPE!) then re-image and return to service. All data is SUPPOSED to be saved to a Network Home Directory. I’m actually working on this one cuz the user has a ton of downloaded programs used for his job. (And the experience will make my Kung Fu stronger.) And I wanna do the Malware Stuff here after I get the required number of posts.

McAfee was disabled so I mapped the HD to my PC and scanned it as a network drive. 1st time around all (McAfee AV, Malwarebytes and Spybot S&D ) found something and removed. 2nd scan turned up nothing.

Wohoo Success!

Made the formerly infected HD the Master to do a routine clean up/defrag before returning to service. Oops, now I can't use Ctrl+Alt+Del to logon in either Normal Boot or Safe Mode. I see the mouse/KB being recognized during boot and both Caps lock and Num lock light up on both of the KB’s I’ve tried.

It’s time for some Malware High Mojo!

BTW, we're using XPsp3.

Edited by Pandy, 19 August 2010 - 05:54 PM.
Moved form Malware Logs as no log is included and the prep guide not followed

Hello...
We need to disable Spybot S&D's "TeaTimer" if running.
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.

• Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
• If prompted with a legal dialog, accept the warning.
• Click and then on "Advanced Mode"
  
• You may be presented with a warning dialog. If so, press
• Click on
• Click on
• Uncheck this checkbox:
  
• Close/Exit Spybot Search and Destroy

TASK MGR DISABLED

This step involves making changes in the registry. Always back up your registry before making any changes.

Go to Start » Run and type: regedit
Click OK.
On the left side, click to highlight My Computer at the top.
Go up to File » Export
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put RegBackup.
Choose to save it to C:\
Click save and then go to File » Exit.

Or you can download and use ERUNTwhich is an excellent free tool that allows you to to take a snapshot (backup) of your registry before making changes and restore it when needed.

Click on the link below:
http://www.kellys-korner-xp.com/xp_tweaks.htm
Scroll down to #275 and click "Lift Restrictions - TM, Regedit and CMD" in the left column. Go to File, choose "Save page as" All Files and save regtmcmdrestore.vbs to your desktop. Double-click on that file to allow the script to run and reboot when done. Since the script modifies certain registry settings your anti-virus package may warn you about it. Ignore the warning and allow it to run.


Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.

Still no Ctrl+Alt+Del! Everything boots fine and Num Lock/Caps Lock still go on and off.

Post of log... (E:\ is the problem drive.)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/20/2010 at 01:36 PM

Application Version : 4.41.1000

Core Rules Database Version : 5347
Trace Rules Database Version: 3159

Scan type : Complete Scan
Total Scan Time : 04:30:30

Memory items scanned : 237
Memory threats detected : 0
Registry items scanned : 6705
Registry threats detected : 1
File items scanned : 163932
File threats detected : 92

Trojan.Downloader-WINHP32
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#1 [ \\asitst04\TrackIt\Audit32.exe ]

Adware.Tracking Cookie
E:\Documents and Settings\ckrauss\Cookies\ckrauss@ad.yieldmanager[2].txt
E:\Documents and Settings\ckrauss\Cookies\ckrauss@atdmt[1].txt
E:\Documents and Settings\ckrauss\Cookies\ckrauss@fastclick[1].txt
E:\Documents and Settings\ckrauss\Cookies\ckrauss@interclick[1].txt
E:\Documents and Settings\ckrauss\Cookies\ckrauss@microsoftwindows.112.2o7[1].txt
E:\Documents and Settings\kbell.TACOMA.000\Cookies\kbell@ad.wsod[2].txt
E:\Documents and Settings\kbell.TACOMA.000\Cookies\kbell@ads.bridgetrack[2].txt
E:\Documents and Settings\kbell.TACOMA.000\Cookies\kbell@atdmt[2].txt
E:\Documents and Settings\kbell.TACOMA.000\Cookies\kbell@msnportal.112.2o7[1].txt
cdn.insights.gravity.com [ E:\Documents and Settings\tgriffit\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]
media.king5.com [ E:\Documents and Settings\tgriffit\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]
media.mtvnservices.com [ E:\Documents and Settings\tgriffit\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]
media.nbcdfw.com [ E:\Documents and Settings\tgriffit\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]
media.opb.org [ E:\Documents and Settings\tgriffit\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]
media.scanscout.com [ E:\Documents and Settings\tgriffit\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]
media1.break.com [ E:\Documents and Settings\tgriffit\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]
objects.tremormedia.com [ E:\Documents and Settings\tgriffit\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]
secure-us.imrworldwide.com [ E:\Documents and Settings\tgriffit\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]
www.mediadump.com [ E:\Documents and Settings\tgriffit\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]
E:\Documents and Settings\tgriffit\Cookies\tgriffit@2o7[1].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@ads.roiserver[1].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@apmebf[2].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@arkansasonline.112.2o7[1].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@associatedcontent.112.2o7[1].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@bravenet[1].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@burstbeacon[1].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@burstnet[2].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@counter.hitslink[1].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@dc.tremormedia[2].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@e-2dj6wdkisoc5gap.stats.esomniture[2].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@findagrave[2].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@findarticles[2].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@imrworldwide[2].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@interclick[1].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@invitemedia[1].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@kontera[2].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@liveperson[1].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@liveperson[3].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@liveperson[4].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@media.adfrontiers[1].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@media6degrees[1].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@micron.112.2o7[1].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@perf.overture[1].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@questionmarket[2].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@rainbowmedia.122.2o7[1].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@s.clickability[2].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@sales.liveperson[1].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@saxowesterncommunications.122.2o7[1].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@server.iad.liveperson[1].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@statcounter[2].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@statse.webtrendslive[2].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@surveymonkey.122.2o7[1].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@tracker.opticsplanet[1].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@traveladvertising[1].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@www.burstbeacon[2].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@www.burstnet[1].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@www.downrangemedia[1].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@www.piercecountywa[1].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@www.windowsmedia[2].txt
E:\Documents and Settings\tgriffit\Cookies\tgriffit@xiti[1].txt
burstnet.com [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
cdn4.specificclick.net [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
crackle.com [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
ec.atdmt.com [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
ia.media-imdb.com [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
input.insights.gravity.com [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
interclick.com [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
media.katu.com [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
media.king5.com [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
media.komonews.com [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
media.mtvnservices.com [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
media.mtvu.com [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
media.nbcmiami.com [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
media.scanscout.com [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
media.tattomedia.com [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
media.vmixcore.com [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
media.wbng.com [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
media1.break.com [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
msnbcmedia.msn.com [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
objects.tremormedia.com [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
oddcast.com [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
richmedia247.com [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
secure-us.imrworldwide.com [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
spe.atdmt.com [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
udn.specificclick.net [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
vmixmedia-0.vo.llnwd.net [ E:\Documents and Settings\tgriffit2\Application Data\Macromedia\Flash Player\#SharedObjects\6ET4TCU2 ]
E:\Documents and Settings\tgriffit2\Cookies\tgriffit@ad.yieldmanager[2].txt
E:\Documents and Settings\tgriffit2\Cookies\tgriffit@advertising[2].txt
E:\Documents and Settings\tgriffit2\Cookies\tgriffit@atdmt[1].txt
E:\Documents and Settings\tgriffit2\Cookies\tgriffit@content.yieldmanager[2].txt
E:\Documents and Settings\tgriffit2\Cookies\tgriffit@doubleclick[1].txt
E:\Documents and Settings\tgriffit2\Cookies\tgriffit@richmedia.yahoo[1].txt

HI, we killed 2 downloaders so let's do another scan. After which we can try SFC on the Task Manager.

Also Update and reun MBAM.

ESET

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
• Click the ESET Online Scanner button.
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the Eset Smart Installer icon on your desktop.
• Check the "YES, I accept the Terms of Use"
• Click the Start button.
• Accept any security warnings from your browser.
• Check Scan archives
• Push the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push "List of found threats"
• Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Push the "<<Back" button.
• Push Finish

In your next reply, please include the following:

• Eset Scan Log

NOTE: In some instances if no malware is found there will be no log produced.



SFC

Please run System File Checker sfc /scannow... For more information on this tool see How To Use Sfc.exe To Repair System Files

NOTE for Vista users..The command needs to be run from an elevated Command Prompt.
Click Start, type cmd into the Start/Search box,
right-click cmd.exe in the list above and select 'Run as Administrator'


You will need your operating system CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the XP CD when asked.

Having some challenges with sfc. We don't have CD's only install points on network shares. I downloaded SP3 but it comes as an exe file. I'll keep swinging but in the mean time here are those log files...

The ESET shows something under his destop\video tools. This was something he recalls doing before his PC went kablowie. (Yes, that'a a technical term. ) So it looks like we're on the right track.

ESET Log

E:\Documents and Settings\tgriffit\Desktop\Video Tools\i3DVR\ClassPackage.dll probably a variant of Win32/Dialer.generic application cleaned by deleting - quarantined

E:\IntelliUpSite\ClassPackage.dll.tmp probably a variant of Win32/Dialer.generic application cleaned by deleting - quarantined

MBAM Log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4466

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/23/2010 3:19:22 PM
mbam-log-2010-08-23 (15-19-22).txt

Scan type: Full scan (E:\|)
Objects scanned: 297746
Time elapsed: 3 hour(s), 40 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Maybe we can get it back by restoring to a point prior to the issues. We may become infected again,but you can scan immeiately with all 3.
.

OK, but I don't know how to do a restore without actually logging in to the PC.

maybe we can get in like this.
To start System Restore using the Command prompt, follow these steps:

Restart your computer, and then press and hold F8 during the initial startup to start your computer in safe mode with a Command prompt.
Use the arrow keys to select the Safe mode with a Command prompt option.
If you are prompted to select an operating system, use the arrow keys to select the appropriate operating system for your computer, and then press ENTER.
Log on as an administrator or with an account that has administrator credentials.
At the command prompt, type %systemroot%\system32\restore\rstrui.exe, and then press ENTER.
Follow the instructions that appear on the screen to restore your computer to a functional state.

OK, so I was skeptical about being able to get to safe-mode cuz the original problem was Ctrl+Alt+Del didn't work. Lo and Behold Safe-Mode works... restored to a previous known good copy and the user is doing the happy dance... Thanx for ALL the time and effort!

Good,,,, Now update and run a Quick scan with MBAm ..to be sure we haven't restored to an infected state.
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then use Disk Cleanup to remove all but the most recently created Restore Point.
• Go to Start > Run and type: Cleanmgr
• Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
• Click the "More Options" tab, then click the "Clean up" button under System Restore.
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
• Click Yes, then click Ok.
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
• Disk Cleanup will remove the files and close automatically.

Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
if that is clean then...