Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

sad.exe trojan horse


  • Please log in to reply
12 replies to this topic

#1 jkingw10

jkingw10

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 29 March 2011 - 09:33 PM

This computer has been infected with a "sad.exe" trojan horse according to AVG log. When I click on an icon I am told that there is no file association. Sometimes I can get into a browser in round about ways by clicking on something in "all programs", but most of the time it just says no file association. According to AVG log it is in my "D" drive. I have also run Advanced Systems by IObit but it did not pick it up. It seems the more I click on something the more I lose. When I tried to get to Program files in my Control panel, I found that it is no longer there.

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 AM

Posted 30 March 2011 - 06:07 PM

Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 jkingw10

jkingw10
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 30 March 2011 - 11:52 PM

Thank you for you reply. When I tried to open the downloads, I got the following messages;

"C:\Documents and Settings\HP_Administration\My Documents\Downloads\mbam-setup.exe
This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel"

When I tried to get a screen shot I got a similar message for paint shop. I can get to my control panel, but after looking at the Folder Options, I do not know how to create an association.
This is the same message that I am getting for almost everything I click on. This started right after the infection. Can you help with this?

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 AM

Posted 31 March 2011 - 12:12 AM

Press CTRL+SHIFT+ESC simultaneously and it will bring up Windows Task Manager.

Press and hold the CTRL button and under File click at the New Task (Runů)
A black command prompt will open.

Copy the following lines one by one, right-click in the open command prompt, select Paste and press Enter:

assoc.bat=batfile

ftype batfile="%1" %*

assoc.exe=exefile

ftype batfile="%1" %*

exit

Then try Malwarebytes again.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 jkingw10

jkingw10
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 31 March 2011 - 01:59 AM

This did not work. I followed instructions and was able to do all the command prompts, but when I clicked on "run" for the download I got the no file association error message again.

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 AM

Posted 31 March 2011 - 04:05 PM

Download this file and save it to your desktop:

http://download.bleepingcomputer.com/reg/antivirus-vista-2010/FixExe.reg

Right-click on the file and select Merge.

Then try Malwarebytes again.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 jkingw10

jkingw10
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 01 April 2011 - 01:50 AM

I downloaded the above file and it seems to have been successful. The message said that it was installed into the registry. I can download the Malwarebytes files, but when I click on "run" the error message about file association appears again and I can go no further.

#8 jkingw10

jkingw10
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 01 April 2011 - 02:48 AM

I have somehow been able to run all the downloads. But I had to go to "My Documents" and right-click on the icon in there and then "run as" and click on the top link after unclicking the box. I ran the Malwarebytes and the following log came up. I did need to re-start. After restarting when it got to the desk top, I got the error message that "mbamgui.exe" could not run because there was no file to open it with. It did have the box that gives the list of programs to open it with. I had to "browse" and was able to open it with the Malwarebytes icon. Another quick scan was run and no infections were listed this time. However I still have to open everything by using the "run" option. Could you tell me if this scan, scans the "D" drive? After the C drive was scanned, "Other" items were also scanned and 20 more infections were added, but it did not say whether or not D drive was scanned.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6233

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/1/2011 2:18:49 AM
mbam-log-2011-04-01 (02-18-49).txt

Scan type: Quick scan
Objects scanned: 188245
Time elapsed: 5 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 26
Registry Values Infected: 0
Registry Data Items Infected: 7
Folders Infected: 3
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3C2D2A1E-031F-4397-9614-87C932A848E0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04A38F6B-006F-4247-BA4C-02A139D5531C} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MiniBugTransporter.MiniBugTransporterX.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MiniBugTransporter.MiniBugTransporterX (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A26F07F-0D60-4835-91CF-1E1766A0EC56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9FF05104-B030-46FC-94B8-81276E4E27DF} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PlayMP3 (Adware.PLayMP3z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\sad.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\sad.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\sad.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: () Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\hp_administrator\application data\ni.gscns (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\fbrowseradvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\x4 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\cpnprt2.cid (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\regclean scheduled scan.job (Rogue.RegClean) -> Quarantined and deleted successfully.
c:\documents and settings\hp_administrator\application data\ni.gscns\dl.ini (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\hp_administrator\application data\ni.gscns\settings.ini (Trojan.Agent) -> Quarantined and deleted successfully.

Second scan upon restarting:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6233

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/1/2011 2:31:06 AM
mbam-log-2011-04-01 (02-31-06).txt

Scan type: Quick scan
Objects scanned: 1
Time elapsed: 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 AM

Posted 01 April 2011 - 04:17 PM

I don't think the D drive will get scanned during a quick scan. Try running a full scan and post the new log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 jkingw10

jkingw10
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 01 April 2011 - 11:06 PM

Below is the log from the deep scan. It did scan D drive, but there is nothing posted about a virus in that drive. There was a new one in C drive. I tried to include an attachment from the AVG log were I first noticed the virus in the D drive. When I tried to quarantine it the error message was that it was too large to do so. Consequent scans did not show this virus, but there were several before this one. The problems with the computer started slowly at first and then increased to its current condition. Is there some way I can send this info or is it even necessary?





Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6233

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/1/2011 9:35:34 PM
mbam-log-2011-04-01 (21-35-34).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|)
Objects scanned: 466854
Time elapsed: 2 hour(s), 11 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (???*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\RP1654\A0324795.exe (Trojan.Agent) -> Quarantined and deleted successfully.

#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 AM

Posted 02 April 2011 - 03:23 PM

Download this file and save it to your desktop:

http://download.bleepingcomputer.com/grinler/rkill.scr

Double-click the file to run it. A command window will open briefly. Then run another quick scan with Malwarebytes. Post the Malwarebytes log.

Do you remember what the name of the file was that had the virus in the D drive?

Also, how is your computer running now?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 jkingw10

jkingw10
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 03 April 2011 - 02:47 AM

Currently the computer is still acting up. I cannot click on an icon and open it. I have to right-click, use "ran as" then a command window opens up "Which user account do you want to run the program?" I am given the choice of "Current user" or Administrator" There is a box to tick or un-tick under "Current user" that asks "Protect my computer and data for unauthorized program activity" Some programs have to have the boxed clicked and some have to have it un-clicked. All programs have to use the 1st option. In the Control Panel the "Add or Remove Programs" icon is still missing and right-clicking on any icon in the control panel does nothing. My Windows security icon in the task bar is red and says my computer is unprotected. When I tried clicking on the Windows Security icon in the Control panel, I was unable to.

Below is the latest Malwarebytes' scan. One virus keeps infecting the computer. I have highlighted it in red. Although it can be cleaned, it shows up with every scan. For some reason it doesn't get permanently removed.

The "D" drive virus that AVG picked up has infected that and "C" drive. "C" drive virus can be removed, but "D" drive cannot because the file is too big. This virus has hit 7 times in the past. The first time there were 11 infections, 8 of which were removed (all from C). The last time it hit "D" drive was Mar 24th. AVG shows it clear of this virus currently, but it has yet to be removed. I hope I have copied it correctly, but I was unable to copy/paste. There are 2 versions of the infection. They are identical except the last part of the longest on.

Found in: Win32/Heur.dropper

D:\I386\APPS\APP13621\scr\install\Worldwide-MediaCenter\games\049D60AF-B425-4F8A-BD66-9D8C1B519D593.exe:\$JJ\C49D60AF-B425-4FBA-B066-9D8C1B519D59.exe\ns_00002

D:\I386\APPS\APP13621\scr\install\Worldwide-MediaCenter\games\049D60AF-B425-4F8A-BD66-9D8C1B519D593.exe


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6233

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/2/2011 5:03:03 PM
mbam-log-2011-04-02 (17-03-03).txt

Scan type: Quick scan
Objects scanned: 188162
Time elapsed: 8 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (???*) Good: ("%1" %*) -> Quarantined and deleted successfully.


Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 AM

Posted 03 April 2011 - 04:10 PM

This is going to require a more in-depth look. Please follow the instructions in ==>This Guide<==. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users