Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Severely Compromised System - What's The First Step?


  • This topic is locked This topic is locked
59 replies to this topic

#1 GeekGrrl

GeekGrrl

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:55 PM

Posted 01 October 2010 - 03:21 PM

Hey White Hats (good guys),

I posted more details as to the story of this computer I'm working on, but the short version is that my brother bought this computer about 14 months ago. I set him up with all the stuff I thought he should have like AntiVir, SUPERAntiSpyware and MalwareBytes, showed him how to use them, and then never checked back. I really should have... my parents don't listen when I set their machines up and he don't listen either. tongue.gif

Last week he moved back with our folks to save for a house and since they have several computers, he left his with me. I am VERY excited. I'm in university and broke and haven't had a new computer in 8 years! Then my brother got red-faced and owned up that he hadn't really done any of the things I showed him.

And that he'd clicked a few things he maybe shouldn't have.

AND that he had disabled one of the antimalware programs because it wasn't letting him do something. *head/desk*

Anyway, I set it all up today, and wow. This is beyond any of the computers I have fixed before. Also, I am very familiar with Windows XP, but not Vista!

I'm posting this from the Guest account on the infected/infested computer. When I try to log into the main user (Admin) account, several error messages and other windows pop up, very quickly, and then boom - the computer simply reboots.

I have fixed four other computers that had been infested with malware. In 2005, my own computer was hit by a drive-by download and that was my introduction to this world - I learned a LOT and managed to completely restore and protect it until it died 3 years later (hard drive failure)! However, I don't even know where to begin with this one!

I'm hoping someone can give me a basic first step. I looked at the tutorial, but the system is so compromised I couldn't perform a backup or download anything new! The computer is a desktop: HP Pavilion a6152n with Windows Vista Home Premium.

Thanks in advance. I'll be waiting!! thumbup.gif

Edited by GeekGrrl, 01 October 2010 - 03:22 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:55 AM

Posted 01 October 2010 - 04:10 PM

Hello and welcome.. We call that "PEBCAY" Problem exists Between chair and Keyboard..

I looked at the tutorial, which one please.

Let's try starting here.
Since you have SAS and MBAm installed you just need to update it first.

Reboot into Safe Mode with Networking
How to enter safe mode
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 GeekGrrl

GeekGrrl
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:55 PM

Posted 01 October 2010 - 04:58 PM

QUOTE(boopme @ Oct 1 2010, 02:10 PM) View Post
Hello and welcome.. We call that "PEBCAY" Problem exists Between chair and Keyboard..


laugh.gif Exactly. Thanks for the welcome!

QUOTE(boopme @ Oct 1 2010, 02:10 PM) View Post
I looked at the tutorial, which one please.


The one called "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help"

I will now follow the steps you outlined in the post above. Thanks for your response!

Just to clarify, since the problems seem to be mostly with the Administrator account, you want me to follow these steps in that account, right?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:55 AM

Posted 01 October 2010 - 07:21 PM

Hi, the first part yes, but I recommend scanning all accounts with SAS.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 GeekGrrl

GeekGrrl
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:55 PM

Posted 01 October 2010 - 08:47 PM

Rebooted computer into Safe Mode with Networking.

Disabled all computer software.

Downloaded and ran FixExe.reg and RKill.

Updated and ran SuperAntiSpyware. Here is the log (I apologize for the offensive words in the URLs - oh, my):

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/01/2010 at 05:10 PM

Application Version : 4.44.1000

Core Rules Database Version : 4753
Trace Rules Database Version: 2565

Scan type : Complete Scan
Total Scan Time : 01:20:39

Memory items scanned : 307
Memory threats detected : 0
Registry items scanned : 11027
Registry threats detected : 2
File items scanned : 161051
File threats detected : 74

Adware.Tracking Cookie
C:\Users\london drugs\AppData\Roaming\Microsoft\Windows\Cookies\london_drugs@ads.bleepingcomputer[1].txt
C:\Users\london drugs\AppData\Roaming\Microsoft\Windows\Cookies\london_drugs@collective-media[2].txt
media.scanscout.com [ C:\Users\Guest\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CJ5M9R6D ]
secure-us.imrworldwide.com [ C:\Users\Guest\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CJ5M9R6D ]
www.ziporn.com [ C:\Users\Guest\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CJ5M9R6D ]
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\guest@ad.yieldmanager[2].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\guest@ads.bleepingcomputer[1].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\guest@bs.serving-sys[2].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\guest@collective-media[2].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\guest@doubleclick[1].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\guest@serving-sys[1].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\guest@tribalfusion[1].txt
69sexgalleries.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
acvs.mediaonenetwork.net [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
adsatt.espn.go.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
advprotraffic.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
banners.securedataimages.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
bc.youporn.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
c2.zedo.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
cdn-www.pornhub.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
cloudfront.mediamatters.org [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
content3.pornkolt.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
crackle.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
ec.www.teenmodels.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
flvplayer2.hardsextube.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
free.bangmyteenass.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
free.youngsexparties.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
googleads.g.doubleclick.net [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
hardcoreporntube.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
ia.media-imdb.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
interclick.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
macromedia.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
media.celebritycruises.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
media.heavy.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
media.ign.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
media.jambocast.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
media.mtvnservices.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
media.noob.us [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
media.resulthost.org [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
media.scanscout.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
media.scrippsnewspapers.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
media.tattomedia.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
media01.kyte.tv [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
media1.break.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
msnbcmedia.msn.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
naiadsystems.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
objects.tremormedia.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
pornotube.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
secure-us.imrworldwide.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
seriouspornmovies.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
static.sexsearch.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
static.xxxmatch.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
static.youporn.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
teenstarsonly.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
tools.latinteencash.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
vidii.hardsextube.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
vidii2.hardsextube.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
vitamine.networldmedia.net [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
www.bdsmwife.info [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
www.naiadsystems.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
www.pornhost.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
www.pornhub.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
www.pornotube.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
www.pornstarnetwork.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
www.porntown.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
www.sexworldporn.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
www.sexymusclegirls.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
www.sexypattycakenude.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
www.teenhomegalleries.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
www.youngporn.net [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
www.youngpornmovies.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
wwwstatic.megaporn.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]
youporn.videobox.com [ C:\Users\london drugs\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CKJT5PF4 ]

Rogue.XP AntiSpyware 2009
HKU\S-1-5-21-3776389945-3318927412-894809206-1001\Control Panel\don't load#wscui.cpl [ No ]

Rogue.WinPCDefender
HKU\S-1-5-21-3776389945-3318927412-894809206-1001\Software\WinPC Defender
C:\Users\london drugs\AppData\Roaming\Microsoft\Windows\Start Menu\WinPC Defender.LNK

END SuperAntiSpyware Log

Rebooted computer into "normal" mode, logged into Admin account. Two error messages loaded and then disappeared before I could copy the text down. Computer then logged off and rebooted itself.

Pressed F8 to boot into Safe Mode with Networking again. Launched SAS to get the log file. Downloaded, updated and ran MalwareBytes AntiMalware.

Here is the MBAM Log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4731

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18943

10/1/2010 6:21:49 PM
mbam-log-2010-10-01 (18-21-49).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 312707
Time elapsed: 49 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 8
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3u54d0hk-76gn-ub16-7117-xr2m8877k84j} (Generic.Bot.H) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\policies (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxayanawifukine (Trojan.Agent.U) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hkcu (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\policies (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lwuqo (Trojan.Agent.U) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hklm (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\ProgramData(x96)\update_231.exe (Adware.FlvDirect) -> No action taken.
C:\ProgramData(x96)\update_498.exe (Adware.FlvDirect) -> No action taken.
C:\ProgramData(x96)\update_940.exe (Adware.FlvDirect) -> No action taken.
C:\ProgramData(x96)\update_965.exe (Adware.FlvDirect) -> No action taken.
C:\Users\london drugs\AppData\Local\Temp\bpro_cd714_1890.exe (Adware.BHO) -> No action taken.
C:\Users\london drugs\AppData\Local\Temp\e4u-pfatch.exe (Malware.Packer.Gen) -> No action taken.
C:\Users\london drugs\AppData\Local\Temp\gasvwd.exe (Trojan.Hiloti.Gen) -> No action taken.
C:\Users\london drugs\AppData\Local\Temp\pbaua.exe (Trojan.Zbot) -> No action taken.
C:\Users\london drugs\AppData\Local\Temp\ysquprc.exe (Adware.BHO) -> No action taken.
C:\Users\london drugs\AppData\Local\Temp\nsk5E39.tmp\nsBlowFish.dll (Trojan.Agent) -> No action taken.
C:\Users\london drugs\AppData\Roaming\logs.dat (Bifrose.Trace) -> No action taken.
C:\Users\london drugs\AppData\Local\Temp\UuU.uUu (Malware.Trace) -> No action taken.
C:\Users\london drugs\AppData\Local\Temp\XxX.xXx (Malware.Trace) -> No action taken.
C:\Program Files/MachineLocal/explorer.exe (Trojan.Agent) -> No action taken.

END MBAM Log

Rebooted into normal mode. There was one error message. I could not get all the text, but here is the text I did get: "AppleSyncNotifier.exe: Unable to locate component... corefoundation.dll..."

This error message disappeared while I was trying to copy it, and the computer once again logged off and rebooted itself. I again pressed F8 to boot into Safe Mode with Networking and came here and posted this message!

Thanks so much for looking at this! I'll keep checking back.

Edited by GeekGrrl, 02 October 2010 - 12:22 AM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:55 AM

Posted 02 October 2010 - 09:30 AM

Hello again,this was real good.. Do not fret the entries for me.

I need to ask to be sure as the MBAM logs say "No action taken." Did you click "Remove Selected" and reboot after the scan?

That message ("AppleSyncNotifier.exe: Unable to locate component... corefoundation.dll...") is most like due to malware corruption of Apple files. Two things to try use Autoruns to stop it and seee iff all Apple apps are running well or the second step below.
BUT we need to run the ESET scan (All the way below) first.

AUTORUNS

Its not unusual to receive such an error after using specialized fix tools.

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.

Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message. --->> corefoundation.dll
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.

2)You can try an uninstall all Apple products and hope the message will go away. However, that may not always help. You may have to reinstall the Apple products such as iTunes, QuickTime and Bonjour and then uninstall so the error message you are receiving will go away.


Now we need to do an Online scan. ESET
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the Eset Smart Installer icon on your desktop.
  • Check the "YES, I accept the Terms of Use"
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push "List of found threats"
  • Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the "<<Back" button.
  • Push Finish
  • In your next reply, please include the following:
    • Eset Scan Log


    NOTE: In some instances if no malware is found there will be no log produced.
    How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

    #7 GeekGrrl

    GeekGrrl
    • Topic Starter

    • Members
    • 37 posts
    • OFFLINE
    •  
    • Gender:Female
    • Local time:11:55 PM

    Posted 02 October 2010 - 02:48 PM

    QUOTE(boopme @ Oct 2 2010, 07:30 AM) View Post
    Hello again,this was real good.. Do not fret the entries for me.

    I need to ask to be sure as the MBAM logs say "No action taken." Did you click "Remove Selected" and reboot after the scan?


    I did. I was surprised to see "no action taken", because I thought I had clicked the right thing, but perhaps I missed something somewhere. sad.gif

    QUOTE(boopme @ Oct 2 2010, 07:30 AM) View Post
    That message ("AppleSyncNotifier.exe: Unable to locate component... corefoundation.dll...") is most like due to malware corruption of Apple files. Two things to try use Autoruns to stop it and seee iff all Apple apps are running well or the second step below.


    Just to clarify, the AppleSyncNotifier.exe message was there before I came here for help. smile.gif It's the least of our problems right now, especially after what I found this morning.

    Last night, I put the computer to "sleep" and went to bed. Somewhere between then and when I woke up (about 8 hours or so), it began rebooting itself constantly. I only became aware of it when I put my hearing aids in (I'm deaf) and heard the Windows startup sound... I thought that was weird and went to the study. It was on the welcome screen where you can choose which account to log into. I chose the "Guest" account as that is the one I've been posting from. Within about 30 seconds or less, this error message came up: "You are about to be logged off: Windows has encountered a critical problem and will restart automatically in one minute. Please save your work now."

    That sounded ominous, so I hit F8 as it was coming up and booted into Safe Mode with Networking. This time when the welcome screen came up, I chose the Admin account (what is the correct term for the owner's account with the administrative rights? I want to make sure I'm using the right words for everything), because I was in safe mode and it's the one that needs more work anyway.

    Even in Safe Mode with Networking, the message came up, "Windows has encountered a critical problem and will restart automatically..."

    This time, I didn't hit F8 and didn't even choose an account. I let it sit on the welcome screen to see if it would restart again. It did. So I shut it down completely. I'm now on my husband's computer, hoping there is answer to this so we can fix that bleeping computer! blink.gif

    More important information: you recommended doing a SAS on all accounts, so last night while waiting for responses here, I ran SAS and MBAM on the Guest account. During the scan, Avira AntiVir popped up with several (5, I think) Trojans. The default option was "Deny Access", but I didn't know if that would be the best thing! There was a "Move to Quarantine" option and that was the one I chose for all but one (my husband saw the first one and chose the default option before I explained to him that that computer is a mess and he should let me do all the clicking for now!).

    I'm going to wait for your answer as to what I should do now. Thank you so much!!

    Edited by GeekGrrl, 02 October 2010 - 02:48 PM.


    #8 boopme

    boopme

      To Insanity and Beyond


    • Global Moderator
    • 73,490 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:NJ USA
    • Local time:02:55 AM

    Posted 02 October 2010 - 04:40 PM

    OK, this isnot to good as you can see. So we have a PC you cannot boot as it will just start rebooting or it will not even boot up now.

    A possibility...
    When you get a message that the system is shutting down, follow these steps to stop the cycle:
    • Press the Windows Key + R keys on your keyboard or go to > Run..., and in the Open dialog box, type: cmd
    • Click Ok or press Enter.
    • At the command prompt C:\>, type: shutdown -a
    • Press Enter.
    -- Vista users can refer to these instructions: How to Enable Run Command in Vista - How to Run a command prompt as an Administrator

    That should give you enough time to run Rkill and rescan immediately afterwards with Malwarebytes. Rkill terminates malware processes which target your security tools and keeps them from running or completing a scan.
    How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

    #9 GeekGrrl

    GeekGrrl
    • Topic Starter

    • Members
    • 37 posts
    • OFFLINE
    •  
    • Gender:Female
    • Local time:11:55 PM

    Posted 02 October 2010 - 06:23 PM

    QUOTE(boopme @ Oct 2 2010, 02:40 PM) View Post
    OK, this isnot to good as you can see. So we have a PC you cannot boot as it will just start rebooting or it will not even boot up now.

    A possibility...
    When you get a message that the system is shutting down, follow these steps to stop the cycle:
    • Press the Windows Key + R keys on your keyboard or go to > Run..., and in the Open dialog box, type: cmd
    • Click Ok or press Enter.
    • At the command prompt C:\>, type: shutdown -a
    • Press Enter.
    -- Vista users can refer to these instructions: How to Enable Run Command in Vista - How to Run a command prompt as an Administrator

    That should give you enough time to run Rkill and rescan immediately afterwards with Malwarebytes. Rkill terminates malware processes which target your security tools and keeps them from running or completing a scan.


    OK, I booted into Safe Mode with Networking, logged into the Admin account, and waited about a minute. When no message appeared, I ran RKill.

    I then loaded MBAM and began running it. However, the "critical problem" message showed up about 25 minutes into the scan. (MBAM had found nothing at this point.)

    I pressed Windows + R, then typed 'cmd', then enter, then shutdown -a. The message: "A shutdown is in progress."

    I waited to see if MBAM could complete its scan. About a minute or two later, the screen went black and the computer rebooted.

    I booted into Safe Mode with Networking, chose the Admin account and logged in. However, this time it would not even load past the "Welcome" screen. The screen then went black and the computer rebooted.

    At the login screen, I just shut down the computer.

    I have no idea what to do next.


    #10 boopme

    boopme

      To Insanity and Beyond


    • Global Moderator
    • 73,490 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:NJ USA
    • Local time:02:55 AM

    Posted 02 October 2010 - 06:39 PM

    Hello I am moving this to the Virus, Trojan, Spyware, and Malware Removal Logs . I am going to ask someone that specializesn this situation to take a look.
    How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

    #11 JSntgRvr

    JSntgRvr

      Master Surgeon General


    • Malware Response Team
    • 11,758 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Puerto Rico
    • Local time:02:55 AM

    Posted 03 October 2010 - 02:09 AM

    Hi, GeekGrrl smile.gif

    welcome.gif

    Lets give it a try. You will need a USB drive. (It will also be nice to know if you have a Windows XP installation CD, as we can have other options to try.)

    Download GETxPUD.exe to the desktop of your clean computer
    • Run GETxPUD.exe
    • A new folder will appear on the desktop.
    • Open the GETxPUD folder and click on the get&burn.bat
    • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
    • Click on Start and follow the prompts to burn the image to a CD.
    • Next download driver.sh to your USB drive
    • Remove the USB & CD and insert it in the sick computer
    • Boot the Sick computer with the CD you just burned
    • The computer must be set to boot from the CD
    • Gently tap F12 and choose to boot from the CD
    • Follow the prompts
    • A Welcome to xPUD screen will appear
    • Press File
    • Expand mnt
    • sda1,2...usually corresponds to your HDD
    • sdb1 is likely your USB
    • Click on the folder that represents your USB drive (sdb1 ?)
    • Confirm that you see driver.sh that you downloaded there
    • Press Tool at the top
    • Choose Open Terminal
    • Type bash driver.sh
    • Press Enter
    • After it has finished a report will be located on your USB drive named report.txt
    • Remove the USB drive and insert it back in your working computer and navigate to report.txt

      Please note - all text entries are case sensitive
    Copy and paste the report.txt for my review

    No request for help throughout private messaging will be attended.

    If I have helped you, consider making a donation to help me continue the fight against Malware!
    btn_donate_SM.gif


    #12 GeekGrrl

    GeekGrrl
    • Topic Starter

    • Members
    • 37 posts
    • OFFLINE
    •  
    • Gender:Female
    • Local time:11:55 PM

    Posted 03 October 2010 - 02:15 AM

    QUOTE(JSntgRvr @ Oct 3 2010, 12:09 AM) View Post
    Hi, GeekGrrl smile.gif

    welcome.gif


    Thanks so much!

    QUOTE
    Lets give it a try. You will need a USB drive. (It will also be nice to know if you have a Windows XP installation CD, as we can have other options to try.)


    I have a USB drive. smile.gif But just to clarify, the OS of the infected computer is Windows Vista Home Premium. So would I still need Win XP CDs? I do have XP recovery discs from another WinXP system, but I just wanted to make sure I clarified that the infected computer is using Vista. wink.gif

    #13 JSntgRvr

    JSntgRvr

      Master Surgeon General


    • Malware Response Team
    • 11,758 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Puerto Rico
    • Local time:02:55 AM

    Posted 03 October 2010 - 09:07 AM

    QUOTE(GeekGrrl @ Oct 3 2010, 03:15 AM) View Post
    QUOTE(JSntgRvr @ Oct 3 2010, 12:09 AM) View Post
    Hi, GeekGrrl smile.gif

    welcome.gif


    Thanks so much!

    QUOTE
    Lets give it a try. You will need a USB drive. (It will also be nice to know if you have a Windows XP installation CD, as we can have other options to try.)


    I have a USB drive. smile.gif But just to clarify, the OS of the infected computer is Windows Vista Home Premium. So would I still need Win XP CDs? I do have XP recovery discs from another WinXP system, but I just wanted to make sure I clarified that the infected computer is using Vista. wink.gif

    The XP disk must be the installation disk. A recovery disk wont do. It is as another option to XPud.

    Let me know if you are having problems creating the XPud cd. If your system is able to boot from a USB device, we can also create a bootable USB drive with XPud.

    No request for help throughout private messaging will be attended.

    If I have helped you, consider making a donation to help me continue the fight against Malware!
    btn_donate_SM.gif


    #14 GeekGrrl

    GeekGrrl
    • Topic Starter

    • Members
    • 37 posts
    • OFFLINE
    •  
    • Gender:Female
    • Local time:11:55 PM

    Posted 03 October 2010 - 03:51 PM

    QUOTE(JSntgRvr @ Oct 3 2010, 07:07 AM) View Post
    The XP disk must be the installation disk. A recovery disk wont do. It is as another option to XPud.

    Let me know if you are having problems creating the XPud cd. If your system is able to boot from a USB device, we can also create a bootable USB drive with XPud.


    I am downloading the xPUD file now. I don't have an XP installation disk. However, before we go any further, I'd really like you to clarify that these tools are going to work with a Windows Vista computer, which is what the sick PC is.

    #15 GeekGrrl

    GeekGrrl
    • Topic Starter

    • Members
    • 37 posts
    • OFFLINE
    •  
    • Gender:Female
    • Local time:11:55 PM

    Posted 03 October 2010 - 04:21 PM

    I downloaded xPUD and followed the steps re: burning the CD and downloading driver.sh to a USB drive.

    There was no mention of how or when to insert the CD, so I inserted it as the CD drive would open after I pressed the power button to turn the sick PC on.

    I pressed F12, nothing happened, and the computer booted normally (when I say "normally", I simply mean it booted into normal mode).

    I restarted the computer, waited until the blue HP splash screen and pressed F12 again. Absolutely nothing happened, and it booted into normal mode, taking me to the Login screen.

    Can I please get some clarification that these instructions are indeed for Windows Vista Home Premium?

    I did try pressing F8, but could not see an option for booting from the CD.

    Ideas?




    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users