Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot Update Security Essentials or Windows Update


  • This topic is locked This topic is locked
5 replies to this topic

#1 JustinBarnett

JustinBarnett

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 19 October 2010 - 09:25 PM

Looks like I started this out in the wrong spot. I've copied and pasted over the information, but here is a link to the original thread: http://www.bleepingcomputer.com/forums/topic354776.html

Here is my issue:
I am working on my future father-in-law's computer. When I first got the computer to work on, it had several fake anti-virus and spyware programs on it. I have removed as much as I can and used MalwareBytes, Super AntiSpyware, SpyBot S&D, and Microsoft Security Essentials to clean as much as possible. The scans are now all coming back clean, but I still cannot update the security definitions for Microsoft Security Essentials and when I click on Windows Update, the page always comes back "cannot be displayed". I am also getting random pop-ups for various scandalous websites.

Here is the DDS log as requested, as well as the Attach.txt file:



DDS (Ver_10-10-10.03) - NTFSx86
Run by Dick at 21:05:14.51 on Tue 10/19/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1318 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Dick\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.weather.com/weather/today/Gainesville+TX+76240?lswe=76240&lwsa=WeatherLocalUndeclared&from=whatwhere
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RayV] c:\program files\rayv\rayv\RayV.exe /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SkyTel] SkyTel.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NWEReboot]
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\documents and settings\dick\start menu\programs\startup\CurseClientStartup.ccip
StartupFolder: c:\docume~1\dick\startm~1\programs\startup\EPSONA~1.LNK -
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {413D6754-BFD4-47FE-9346-319559290BFA} - hxxps://www.webpcfos.com/webpcfos/websabre/HTEweb_new.cab
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188072250031
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://localhost:2002/activex/RACtrl.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dick\applic~1\mozilla\firefox\profiles\3sehfts6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.weather.com/weather/local/76240?lswe=76240&lwsa=WeatherLocalUndeclared&from=whatwhere
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {1700A13B-85E3-4AE7-BC61-7EB5134EB068} - c:\documents and settings\dick\local settings\application data\{1700a13b-85e3-4ae7-bc61-7eb5134eb068}\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 151216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-4-26 47640]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-10-20 00:56:22 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-10-15 01:44:07 -------- d-----w- c:\docume~1\dick\applic~1\SUPERAntiSpyware.com
2010-10-15 01:44:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-10-15 01:43:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-15 01:05:19 6084944 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{8fb3ec85-e4bb-496c-93d4-a2ea4adc4545}\mpengine.dll
2010-10-15 01:01:57 -------- d-----w- c:\docume~1\dick\locals~1\applic~1\{1700A13B-85E3-4AE7-BC61-7EB5134EB068}
2010-10-12 01:33:45 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2010-10-12 01:25:16 -------- d-----w- c:\windows\ERUNT
2010-10-12 01:16:42 388096 ----a-r- c:\docume~1\dick\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-10-12 01:16:41 -------- d-----w- c:\program files\Trend Micro
2010-10-12 01:11:15 -------- d-----w- C:\SDFix
2010-10-01 19:39:28 0 ----a-w- c:\windows\Xrimexuyi.bin
2010-10-01 19:38:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-10-01 19:38:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-10-01 19:38:00 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-10-01 19:38:00 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-10-01 19:37:57 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-10-01 19:37:57 8192 ----a-w- c:\windows\system32\drivers\changer.sys

==================== Find3M ====================

2010-09-15 09:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 07:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll

============= FINISH: 21:07:02.70 ===============



Here is the GMER log:


GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-19 21:21:20
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Dick\LOCALS~1\Temp\uxrdipob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAB2A9620]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6C7C380, 0x550AF5, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1196] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A6000A
.text C:\WINDOWS\System32\svchost.exe[1196] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A7000A
.text C:\WINDOWS\System32\svchost.exe[1196] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A5000C
.text C:\WINDOWS\System32\svchost.exe[1196] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0241000A
.text C:\WINDOWS\System32\svchost.exe[1196] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00EA000A
.text C:\WINDOWS\Explorer.EXE[2024] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[2024] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C2000A
.text C:\WINDOWS\Explorer.EXE[2024] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2396] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0166000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2396] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0167000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2396] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0165000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2396] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\WINDOWS\system32\wuauclt.exe[2784] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FA000A
.text C:\WINDOWS\system32\wuauclt.exe[2784] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00FB000A
.text C:\WINDOWS\system32\wuauclt.exe[2784] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00F9000C

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A550298
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A550298
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A550298
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A550298
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T0L0-e 8A550298
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD2500JB-55REA0_____________________20.00K20#5&24d93a26&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 488396912 (+255): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----





Please let me know what I can do to get this thing cleaned out.

Thanks,


Justin

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:02 PM

Posted 29 October 2010 - 07:26 AM

Hello JustinBarnett

Welcome to BleepingComputer :)
==========================

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you still want to clean it please do the following


===================
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
========
Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 JustinBarnett

JustinBarnett
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 01 November 2010 - 11:03 AM

I apologize for not replying yet. Been busy with Halloween stuf this weekend. I will have these logs posted tonight as soon as I can get home from the office.

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:02 PM

Posted 01 November 2010 - 01:19 PM

No problem post when you can
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 JustinBarnett

JustinBarnett
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 16 November 2010 - 03:35 PM

I'm sorry for not replying sooner, but I ended up doing a complete reformat and OS reinstall. This computer had been used for online stock trading and I didn't want to take any chances of that information being compromised. Thanks for the warnings regarding future security issues.

Justin

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:02 PM

Posted 16 November 2010 - 06:29 PM

You are welcome :)


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users