Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WIndows Freezing


  • Please log in to reply
5 replies to this topic

#1 TarHeels

TarHeels

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 12 April 2011 - 04:53 PM

Hey~

I'm new to the site and forum, but I've been reading some of the tutorials to try and fix my problem on my own. This is a great site and gave me some ideas, but I'm stuck and need your help.

Anyways, on to my problem. I have Windows XP Professional with SP3 on my machine. While browsing the internet the other day my computer froze. I was still able to move the cursor around, but was unable to open or close anything. I restarted my computer and logged back in. As soon as I logged in I wasn't able to open anything without it freezing again. I was able to put MBAM and SAS on my computer while in Safe Mode. I ran MBAM first and these are some results:

c:\servicetuner\d_script\alerter_remove.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\servicetuner\d_script\application_layer_gateway_remove.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\servicetuner\d_script\application_management_remove.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\servicetuner\d_script\automatic_updates_remove.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\servicetuner\d_script\background_intelligent_transfer_service_remove.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a665a38c-2d21-41f1-bb42-f8a79287c9b7}\RP999\A0166000.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

Then I ran SAS:

Agent/Gen-Backdoor
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A665A38C-2D21-41F1-BB42-F8A79287C9B7}\RP999\A0166132.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A665A38C-2D21-41F1-BB42-F8A79287C9B7}\RP999\A0166061.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A665A38C-2D21-41F1-BB42-F8A79287C9B7}\RP999\A0166047.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A665A38C-2D21-41F1-BB42-F8A79287C9B7}\RP999\A0166048.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A665A38C-2D21-41F1-BB42-F8A79287C9B7}\RP999\A0166049.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A665A38C-2D21-41F1-BB42-F8A79287C9B7}\RP999\A0166050.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A665A38C-2D21-41F1-BB42-F8A79287C9B7}\RP999\A0166051.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A665A38C-2D21-41F1-BB42-F8A79287C9B7}\RP999\A0166052.EXE
etc, etc.

I then ran Avast and it found one more C:\SYSTEM VOLUME INFORMATION\_RESTORE

I figured after running all three of those programs and quaratining everything would be good to go. The same thing is happening to me though. Any advice would definitely be appreciated. Thanks.

Edited by Budapest, 12 April 2011 - 05:42 PM.
Moved from XP ~Budapest


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:36 AM

Posted 12 April 2011 - 08:24 PM

Hello, a couple things of note,
The first being you had/have a Backdoor and you should know this..
This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


The other is you still have these in your Restore points. If you still want to clean this PC next you need to run...

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 TarHeels

TarHeels
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 12 April 2011 - 08:30 PM

Ok, thanks for the information. I will probably just reformart the hdd. Another question for you. I had my external hdd connected to my computer at the time of this happening. Should I consider that compromised as well?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:36 AM

Posted 12 April 2011 - 08:36 PM

Not necessarily.. do you back up applications to it.
Scan it,connect it ,update MBAM and do a FULL scan. This scans all drives.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 TarHeels

TarHeels
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 12 April 2011 - 08:48 PM

Alright, I ran MBAM and it's clean. Pretty glad I bought it last week. Saved me a lot of heartache. Thanks for your advice.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:36 AM

Posted 12 April 2011 - 09:09 PM

Yep probably the best $ you'll spend.

Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users