Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PCSpeedMax Malware problem


  • Please log in to reply
1 reply to this topic

#1 Sonoma Boy

Sonoma Boy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 07 November 2010 - 02:04 PM

Hello. Thank you ahead of time for all your efforts in helping me resolve the computer malware problem I am having. My name is Reed.

The problem started several days ago. I noticed that Internet Explorer started acting funny. It would lock up or operate very slowly. Then a few minutes after starting it, an additional instance of IE would appear with a fake pop-up style window that says: “You May Have Errors in Your Operating System Registry! Click to Download Free Registry Cleaner Software.” The URL of the site was http: //trk.s3.amazonaws.com/pcspeedmax.html. (Without the extra space).

In addition, I have noticed now that I can get an error message pop-up saying “The system cannot find the registry key specified: (shows the key)” when I go into the Control Panel and click on the Java option. This didn’t happen jut the other day when I was trying to resolve the problem, but it does now. This suggests to me that the problem is getting worse.

In an effort to try to resolve it, I did download the MalwareBytes’ Anti-Malware v1.46 software. The very first time I ran it I got the below results. Ever since that time, then scan has come up with clean scan.

I also use the Acronis True Image Home backup software. I restored my C: partition back to a time before the malware to see if that would resolve the problem. It didn’t. After using the system in this restored state for about an hour, the pop-up windowed appeared again in IE with the “You May Have Errors in Your…” error message.

Anyway, below I am including everything from the list of things the site indicates I provide. If there is anything else needed, please let me know. Thank you again for any help you can provide.

DDS (Ver_09-09-29.01) - NTFSx86
Run by Brooks & Reed at 9:04:20.56 on Sun 11/07/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.230 [GMT -8:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\www\Apache22\bin\httpd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\www\mysql5\bin\mysqld-nt.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\www\Apache22\bin\httpd.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Digimarc\IMAGEB~1\WMCache.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\osk.exe
C:\WINDOWS\SYSTEM32\MSSWCHX.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Silverlight\4.0.50917.0\agcp.exe
C:\Documents and Settings\Brooks & Reed\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.dellnet.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Digimarc ImageBridge reader BHO for IE: {6d6f1af0-ddcb-477f-a896-5d75e53b80a3} - c:\program files\digimarc\imagebridgereader\RM4IE.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &ImageBridge reader: {0ffe2f08-3ac9-4a91-a61d-4ff24f91a561} - c:\program files\digimarc\imagebridgereader\RM4IE.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Gadwin PrintScreen 2.6] c:\program files\gadwin systems\printscreen\PrintScreen.exe /nosplash
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [Digimarc Watermark Initializer] c:\program files\digimarc\imagebridgereader\WMInit.exe
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"
mRun: [Client Access PC5250 Sound] "c:\program files\ibm\client access\emulator\pcssnd.exe"
mRun: [Client Access Help Update] "c:\program files\ibm\client access\cwbinhlp.exe"
mRun: [Client Access Express Welcome] "c:\program files\ibm\client access\cwbwlwiz.exe"
mRun: [Client Access Check Version] "c:\program files\ibm\client access\cwbckver.exe" LOGIN
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BCMSMMSG] BCMSMMSG.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [youeqmpe] c:\windows\temp\sfxnjshfi\ptejmbxtsbl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
mPolicies-explorer: <NO NAME> =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: yahoo.net\yhst-17116217969881.us-dc1-edit.store
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000032-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msnaudio.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - hxxp://streamg.redhotnetworks.com/cabs/videox.cab
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxps://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
DPF: {63DF43C2-469A-41F3-B119-17B1ACE8BB34} - hxxp://quadcam.sdsmt.edu/home/SonySncRz30View.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161547321671
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.6526273148
DPF: {CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CDA74563-C18B-4EFE-B18E-ED89EB06355D} - hxxp://www.diamondperf.com/WebPatternControl.CAB
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/asa/SymAData.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [2010-5-29 911680]
R1 crlscsi;crlscsi;c:\windows\system32\drivers\crlscsi.sys [2004-2-13 6144]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2010-5-29 2480048]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2010-5-29 160704]
S2 gupdate1c9937129a5df36;Google Update Service (gupdate1c9937129a5df36);c:\program files\google\update\GoogleUpdate.exe [2009-2-20 133104]
S2 mrtRate;mrtRate; [x]
S3 Crepnpamrs;Crepnpamrs; [x]
S3 MSCLSSTs;MSCLSSTs;c:\windows\system32\drivers\MSCLSSTs.sys [2003-11-30 50287]
S3 MSCLSSTu;Solid State MP3 Player Control Driver;c:\windows\system32\drivers\MSCLSSTu.sys [2003-11-30 35810]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2004-2-25 11520]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-2-27 1245064]
S3 tomcat5;Apache Tomcat tomcat5;c:\www\tomcat5\bin\tomcat5.exe [2006-12-4 53248]

=============== Created Last 30 ================

2010-11-04 20:35 <DIR> --d----- c:\docume~1\brooks~1\applic~1\Malwarebytes
2010-11-04 20:35 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-04 20:35 20,952 a------- c:\windows\system32\drivers\mbam.sys
2010-11-04 20:35 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2010-11-04 20:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-04 06:59 664 a------- c:\windows\system32\d3d9caps.dat
2010-10-13 18:36 954,368 -------- c:\windows\system32\dllcache\mfc40.dll
2010-10-13 18:36 974,848 -------- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 18:36 953,856 -------- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 18:36 617,472 -------- c:\windows\system32\dllcache\comctl32.dll

==================== Find3M ====================

2010-10-19 12:51 222,080 -------- c:\windows\system32\MpSigStub.exe
2010-09-18 11:23 974,848 a------- c:\windows\system32\mfc42u.dll
2010-09-18 11:23 974,848 a------- c:\windows\system32\dllcache\mfc42u.dll
2010-09-17 22:53 974,848 a------- c:\windows\system32\mfc42.dll
2010-09-17 22:53 953,856 a------- c:\windows\system32\mfc40u.dll
2010-09-17 22:53 954,368 -------- c:\windows\system32\mfc40.dll
2010-09-01 03:51 285,824 a------- c:\windows\system32\atmfd.dll
2010-09-01 03:51 285,824 -------- c:\windows\system32\dllcache\atmfd.dll
2010-08-31 05:42 1,852,800 a------- c:\windows\system32\win32k.sys
2010-08-31 05:42 1,852,800 -------- c:\windows\system32\dllcache\win32k.sys
2010-08-27 00:02 119,808 a------- c:\windows\system32\t2embed.dll
2010-08-27 00:02 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2010-08-26 21:57 99,840 a------- c:\windows\system32\srvsvc.dll
2010-08-26 21:57 99,840 -------- c:\windows\system32\dllcache\srvsvc.dll
2010-08-26 05:39 357,248 -------- c:\windows\system32\dllcache\srv.sys
2010-08-26 04:52 5,120 a------- c:\windows\system32\xpsp4res.dll
2010-08-26 04:22 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2010-08-25 22:36 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2010-08-23 08:12 617,472 a------- c:\windows\system32\comctl32.dll
2010-08-17 05:17 58,880 a------- c:\windows\system32\spoolsv.exe
2010-08-17 05:17 58,880 -------- c:\windows\system32\dllcache\spoolsv.exe
2010-08-16 00:45 590,848 a------- c:\windows\system32\rpcrt4.dll
2010-08-16 00:45 590,848 -------- c:\windows\system32\dllcache\rpcrt4.dll
2010-03-03 22:02 60,744 a------- c:\documents and settings\brooks & reed\g2mdlhlpx.exe
2005-04-27 08:26 483,401 a------- c:\documents and settings\brooks & reed\gotomypc.exe
2003-01-08 03:22 207,758 a------- c:\program files\INSTALL.LOG
2002-09-11 06:26 63,730 a------- c:\program files\viewsonicinstruct_xp.pdf
2008-11-25 18:22 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008112520081126\index.dat

============= FINISH: 9:06:15.75 ===============

Malwarebytes detected three Trojan.FakeAlert virus on my computer and removed them. Here is the log file from that. Hopefully it will help some. Thanks.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5068

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/7/2010 4:30:11 PM
mbam-log-2010-11-07 (16-30-11).txt

Scan type: Quick scan
Objects scanned: 174647
Time elapsed: 17 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youeqmpe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\sfxnjshfi\ptejmbxtsbl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\852583.9178769713.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 08 November 2010 - 04:15 PM.


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:07 AM

Posted 14 November 2010 - 09:28 AM

Hello Sonoma Boy

Welcome to BleepingComputer :)
==========================

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you still want to clean it please do the following


===================
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
========
Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users