Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

post virus issues


  • This topic is locked This topic is locked
31 replies to this topic

#1 ok computer

ok computer

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 26 April 2011 - 07:03 PM

Hello. I am helping my mom with her computer remotely via "TeamViewer". She told me, in a frustratingly non-specific mom-like way that they had viruses and ran some scan (she couldn't tell me what) and appear to have gotten rid of most of them (she didn't know what "they" were) but now she can't see video on IE and they still get scam pop-ups claiming to detect infections that can be cleaned if you enter your credit card number. I'm not sure why or how long they've gone without a Windows Update, but they are still on SP1 and an older version of IE and they won't update because an older Windows Update has failed and they can't get past it ("The following updates were not installed: Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 (KB842773)"). I'm working with Windows support to get past that.

It appears they have no virus protection and when I go to the Windows Security Center to see, it says the "Security Center" service has not started or was stopped. When I go to find and start the service, I can not find it on the list with the other services. I am reluctant to install another anti-virus program until the unit is reasonably clean, though while I am waiting for your assistance, I may try to use an online scanner - I'll make a note of any results. I have used a Microsoft emergency scanner that I found on their support site ("MSERT") but I'm having trouble completing it before TeamViewer kicks me off for one reason or another. I did run "Spybot" and I'm sorry that I did not keep a log, but it did find at least one "Trojan" which it claimed to clean successfully.

These are all of the problems that I know of. Your help is very much appreciated. The requested logs are all attached (DDS log pasted below).

Thank you very much

ADDED ON 4/27/11: I ran Trend Micro "House Call" and it found "HKTL PROCKILL.A" and "Troj Generic". I attached a screen shot.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 23:05:15.79 on Sun 04/24/2011
Internet Explorer: 6.0.2800.1106
.
============== Running Processes ===============
.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\TeamViewer\Version6\TeamViewer.exe
C:\WINDOWS\System32\alg.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\WINDOWS\System32\rundll32.exe
c:\program files\teamviewer\version6\TeamViewer_Desktop.exe
C:\Program Files\TeamViewer\Version6\tv_w32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\msert.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://fullchannel.net/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://qus7.hpwis.com/
uDefault_Search_URL = hxxp://srch-qus7.hpwis.com/
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://qus7.hpwis.com/
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://srch-qus7.hpwis.com/
mStart Page = hxxp://qus7.hpwis.com/
mSearch Bar = hxxp://srch-qus7.hpwis.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: {13F537F0-AF09-11d6-9029-0002B31F9E59} - No File
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [StorageGuard] "c:\program files\veritas software\update manager\sgtray.exe" /r
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mPolicies-explorer: <NO NAME> =
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD}
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxps://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1303584360250
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1303586487265
DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_4_0_01-win.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
.
============= SERVICES / DRIVERS ===============
.
R? McComponentHostService;McAfee Security Scan Component Host Service
R? mrtRate;mrtRate
R? msCMTSrvc;Content Monitoring Tool
S? McAfee SiteAdvisor Service;McAfee SiteAdvisor Service
S? TeamViewer6;TeamViewer 6
.
=============== Created Last 30 ================
.
2011-04-25 02:39:51 -------- d-----w- c:\program files\CCleaner
2011-04-23 19:23:12 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-04-23 19:23:11 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-04-22 03:03:06 -------- d-----w- c:\program files\TeamViewer
2011-04-07 23:49:11 -------- d-----w- c:\program files\common files\McAfee
2011-04-07 23:48:52 -------- d-----w- c:\program files\McAfee
.
==================== Find3M ====================
.
2011-03-08 22:27:42 45056 ----a-w- c:\windows\NCUNINST.EXE
2011-02-23 15:04:21 40648 ----a-w- c:\windows\avastSS.scr
.
============= FINISH: 23:09:53.14 ===============

Screen shot from Trend Micro House CallAttached File  trend micro.JPG   56.47KB   5 downloads

Merged posts. ~ OB

Ran ESET Online Scanner and found:

C:\WINDOWS\system32\msCMTsrvc.exe Win32/TrojanDownloader.Presario trojan cleaned by deleting - quarantined

EDIT: Posts merged ~Budapest

Attached Files


Edited by Budapest, 28 April 2011 - 06:10 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:03 AM

Posted 04 May 2011 - 06:44 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 ok computer

ok computer
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 04 May 2011 - 08:03 PM

Hello, m0le, and thanks very much for your help. I am here and awaiting your instructions.

OK

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:03 AM

Posted 05 May 2011 - 12:44 PM

The problem here is that without at least an update to SP1a the system is not secure enough to clean with any confidence that the malware won't return through the vulnerability.

I am happy to hold on until Microsoft have been able to update or you can try and apply this critical update by clicking the link below:

http://www.softpedia.com/get/System/OS-Enhancements/Windows-XP-Service-Pack-SP1a.shtml
Posted Image
m0le is a proud member of UNITE

#5 ok computer

ok computer
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 05 May 2011 - 03:57 PM

I installed your MS update as instructed - it seemed to work fine, but now if I run Windows Update I still get the same result: It tries to install the "Update for Background Intelligent Transfer Service" and it fails, as shown in the attached screen shot.

One of my main goals here, besides just having a clean machine, is to get the browser updated to Internet Explorer 8. It seems that until I get past this "BITS" update I cannot procede to the point where Windows update installs Explorer 8 (or all the other important updates like security fixes and SP2 and SP3, etc.). If I try to download the IE 8 update as a separate file and run that, the install fails.

Let me know what you think.

Thank you!Attached File  screenshot.JPG   26.13KB   2 downloads

OK

Edited by ok computer, 05 May 2011 - 04:42 PM.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:03 AM

Posted 05 May 2011 - 04:15 PM

My rule is that you can't work with two people at the same time. Follow the Microsoft support and keep me informed. :)
Posted Image
m0le is a proud member of UNITE

#7 ok computer

ok computer
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 05 May 2011 - 04:44 PM

Oops - looks like we crossed posts. Sorry - I thought maybe I should follow your instructions on the MS update before responding so I did and I edited my previous post.

I agree about working with one person. I'm okay starting with MS, but as soon as you give the word, I'll dump them and work with you. That was my original intention, but I'll do what you think is best.

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:03 AM

Posted 05 May 2011 - 04:48 PM

Keep me informed and if I think it's worth continuing I will let you know.

In the meantime, see what Microsoft say. Don't try and install the SP1a update unless they ask you to.
Posted Image
m0le is a proud member of UNITE

#9 ok computer

ok computer
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 11 May 2011 - 09:25 AM

Hello. It's very slow going with MS. You may recall that the hangup that keeps me from updating Windows, IExplorer, etc. is this "Background Intelligent Transfer Service" update from Microsoft that fails to install ("BITS"). Well they're still running me through the basics. The last thing they had me do was use "selective startup" to try running the update with minimal services/startup items running. It failed the same as before. I tried using the automatic Windows Update service (screenshot1, attached) and also tried downloading it and installing it manually (screenshot2, attached). I e-mailed them my results and these two screenshots and have yet to hear their next recommendation.

I've seen enough of this stuff to know that this is the result of something in the registry that was tampered with when the computer was infected, but I don't know enough to identify and fix problems in the registry. In the meantime I keep trying things for MS that I know won't work. Pretty frustrating.

I'll keep you posted. Let me know if/when you think you might be able to help.

Thank you

OK

PS - Bleepingcomputer won't let me attach the screenshots because "This file was too big to upload". How can that be? These screenshots are 19KB and 16KB?? If theres a way around that, let me know and I'll forward the screenshots.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:03 AM

Posted 11 May 2011 - 05:37 PM

No idea why it won't upload such small files. Take a look at this tutorial to see if it gives you any clues.

I'm still going to sit on my hands and see how the BITS install fix goes. If they can get you to the update stage then we should be able to fly through the rest.

Keep me informed again :thumbup2:
Posted Image
m0le is a proud member of UNITE

#11 ok computer

ok computer
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 13 May 2011 - 10:36 AM

Here are those screenshots...I had to go in and delete attachments from previous posts so as not to exceed my "upload quota" of 512K.

The latest from MS was to skip the update by choosing "custom" (vs. "express) from the Windows Update page and then checking the "do not show this update again" box. This way I could get past it and continue to download all of the subsequent updates.

I explained to them that this wasn't an option: Upon clicking "custom" the website says, "Checking for the latest updates..." as usual, but then it goes to a screen saying "Software Upgrade for some Windows components required" and it automatically goes to install the "BITS" update again, resulting in the same old update failure message.

Waiting for their respons. I'll keep you posted.

OK

Attached Files



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:03 AM

Posted 19 May 2011 - 06:32 PM

How are things going?
Posted Image
m0le is a proud member of UNITE

#13 ok computer

ok computer
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 20 May 2011 - 12:09 AM

Hello. There's been a breakthrough: They finally said, let's install SP3 (it only had SP1). They had me download the file and run it from the download, which I did. To my surprise, the install seemed to run fine, and it installed Internet Explorer 8 as a part of the SP. When it was finished, however, I tried to open IE and nothing happened. No window opened, no error message - just the little hourglass for a second and then nothing, as if I hadn't even clicked it. I tried re-installing IE8 from a download from MS and it worked. I went to Microsoft Update and ran all the important Windows updates and then I installed MS Security Essentials for them (they need an easy, free antivirus program - recall that this is my Mom's computer). Now everything seems fine. Am I done..?

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:03 AM

Posted 20 May 2011 - 05:50 PM

Great news :thumbup2:

Have you had any symptoms of infection during the time that Microsoft have been working on the machine?
Posted Image
m0le is a proud member of UNITE

#15 ok computer

ok computer
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 22 May 2011 - 03:15 PM

Well, yes, really. As I said, after I installed SP3, I tried to open IE8 and it wouldn't open. There was a half a second of an hourglass and then nothing, as if I hadn't even clicked the icon.

One of the solutions I read online said "restore your internet options to their default values" and I couldn't do it because the "Internet Options" icon no longer appeared in Control Panel (a symptom of infection?) and if I tried to run it from a command prompt, the command was understood and apparently executed, but still nothing happened at all - Internet Options did not open. That also sounds to me like a symptom of infection, but I don't know.

Once I re-installed IE8 from the file I downloaded at microsoft.com, these problems appeared to be fixed. Since this isn't my computer (it's my mom's) I don't use it enough to have witnessed anything else, though I did ask her to tell me if she'd had any other problems. I'll let you know when/if I get an answer, but in the meantime, what do you think...?

OK




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users