Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System shutdown initiated by NT Authority/System


  • This topic is locked This topic is locked
21 replies to this topic

#1 NoVaT

NoVaT

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 13 June 2011 - 03:00 PM

I was instructed to post here after posting this topic.

http://www.bleepingcomputer.com/forums/topic401919.html/page__p__2278721#entry2278721


Initial Post:
I am running Windows XP Service Pack 3. My issues started a few days ago. The computer would not get on the internet, would not initiate my Iolo antivirus program, and would shutdown with the message in the topic line. Today I had trouble getting it to boot up. It would immediately go to the shutdown message. I was able to prevent it from shutting down by typing "shutdown -a" on the run line. I am unable to load any alternate antivirus programs. I cannot activate my Windows Firewall because the service "Windows Firewall/Internet Connection Sharing service is not running. When I try to start that the response says Windows cannot start the service. I cannot access the internet. I am typing this on my laptop. I did have a previous problem with the system I am speaking of, and I received help here. So I have downloaded gmer.zip, TFC.exe, Rkunhook, and Hijackthis. I have not run any of these yet for the current problem. Malware Bytes does not find anything and neither does Spybot. I also tried running a fix I found on the Symantec site, fixblast.exe, since that sounded like the bug I had. It found nothing as well. Any help would be greatly appreciated.


I think I may have gotten it. I was finally able to get on the internet using the repairs in Superantispyware. I ran the ESET online scan, and it found and removed a lot of stuff. I am still getting the error when I try to run Malwarebytes, but antivirus, firewall, and internet are working now. Everything else seems to be normal. I am trying to remove, reload, and run malwarebytes to see if it finds anything the others missed.

Update 6/13/11
I have cleaned some stuff up but it seems I am still having problems. The internet went down again and I had to repair again with SAS. My Webroot antivirus would not start. Fixed with SAS repair tools. The latest scan by Webroot quarantined w32/Murofet-A if that helps. Here's the logs that were requested. Thank you for any help.

DDS Log:

.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by Charlie and Erinn at 13:50:10 on 2011-06-12
.
============== Running Processes ===============
.
C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Charlie and Erinn\Desktop\dds.scr
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [WMPNSCFG] "c:\program files\windows media player\WMPNSCFG.exe"
mRun: [dla] "c:\windows\system32\dla\tfswctrl.exe"
mRun: [EvtMgr6] "c:\program files\logitech\setpointp\SetPoint.exe" /launchGaming
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [WebrootTrayApp] "c:\program files\webroot\security\current\framework\WRTray.exe"
mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {819F8533-D935-4183-B692-587F8D56AC3C} - hxxp://iolo.com/threatcenter/App/ocx/AVCheckUp.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 71.252.0.12
TCP: Interfaces\{0541FF6E-8476-4181-8726-8A7A8F606DE4} : DhcpNameServer = 192.168.1.1 71.252.0.12
TCP: Interfaces\{4ABAB98E-667D-4C16-9965-2E1C3572AC52} : DhcpNameServer = 192.168.1.1 71.252.0.12
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\charlie and erinn\application data\mozilla\firefox\profiles\g4mtsju5.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.search.selectedengine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\charlie and erinn\application data\facebook\npfbplugin_1_0_0.dll
FF - plugin: c:\documents and settings\charlie and erinn\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\charlie and erinn\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\charlie and erinn\application data\mozilla\firefox\profiles\g4mtsju5.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40624.0\npctrlui.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R? AMPSE;AMPSE
R? BRGSp50;BRGSp50 NDIS Protocol Driver
R? COMMONFX;COMMONFX
R? CTAUDFX;CTAUDFX
R? CTERFXFX.SYS;CTERFXFX.SYS
R? CTERFXFX;CTERFXFX
R? CTSBLFX;CTSBLFX
R? gupdate1c98d615a37c6de;Google Update Service (gupdate1c98d615a37c6de)
R? gupdatem;Google Update Service (gupdatem)
R? SABKUTIL;SABKUTIL
R? SASDIFSV;SASDIFSV
R? vseamps;vseamps
R? vsedsps;vsedsps
R? vseqrts;vseqrts
S? AMP;AMP
S? COMMONFX.SYS;COMMONFX.SYS
S? CTAUDFX.SYS;CTAUDFX.SYS
S? CTSBLFX.SYS;CTSBLFX.SYS
S? DXE101;Dynex DX-E101 PCI adapter NT Driver
S? FreeAgentGoNext Service;Seagate Service
S? LBeepKE;Logitech Beep Suppression Driver
S? SASKUTIL;SASKUTIL
S? ssfmonm;ssfmonm
S? Symantec Core LC;Symantec Core LC
S? tdrpman140;Acronis Try&Decide and Restore Points filter (build 140)
S? vsdatant;vsdatant
S? vsmon;TrueVector Internet Monitor
S? WebrootSpySweeperService;Webroot Spy Sweeper Engine
S? WRConsumerService;Webroot Client Service
S? XPacket;iolo Personal Firewall Driver
.
=============== File Associations ===============
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2011-06-11 00:09:55 45584 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2011-06-11 00:07:53 -------- dc-h--w- c:\documents and settings\all users\application data\{24F72050-686C-4A15-B137-09FEB449D545}
2011-06-11 00:06:49 -------- d-----w- c:\documents and settings\all users\application data\webroot
2011-06-11 00:03:49 -------- d-----w- c:\documents and settings\charlie and erinn\local settings\application data\PackageAware
2011-06-08 00:41:02 -------- d-----w- c:\program files\CheckPoint
2011-06-08 00:32:01 -------- d-----w- c:\program files\MSSOAP
2011-06-07 12:14:28 -------- d-----w- c:\documents and settings\charlie and erinn\application data\SUPERAntiSpyware.com
2011-06-07 12:14:28 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-06-05 19:19:29 -------- d-----w- c:\program files\Webroot
2011-06-04 21:10:49 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-06-04 21:10:49 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-03 20:33:01 87688 ----a-w- c:\windows\system32\IncContxMenu.dll
2011-06-03 20:33:01 2234552 ----a-w- c:\windows\system32\Incinerator.dll
2011-06-03 20:33:00 9341 ----a-w- c:\windows\system32\drivers\filedisk.sys
2011-06-03 20:32:57 29696 ----a-w- c:\windows\system32\iolobtdfg.exe
2011-06-03 20:32:57 11776 ----a-w- c:\windows\system32\smrgdf.exe
2011-06-03 20:24:55 -------- d-----w- C:\iolo
2011-06-01 00:00:00 -------- d-----w- c:\documents and settings\charlie and erinn\application data\Valo
2011-06-01 00:00:00 -------- d-----w- c:\documents and settings\charlie and erinn\application data\Ojpiuk
2011-05-19 16:29:35 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-05-23 17:09:30 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2011-05-23 17:09:30 181008 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-18 05:24:38 1238528 ----a-w- c:\windows\system32\zpeng25.dll
.
============= FINISH: 13:51:56.26 ===============

Attached Files


Edited by NoVaT, 13 June 2011 - 03:11 PM.


BC AdBot (Login to Remove)

 


#2 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:06:49 AM

Posted 22 June 2011 - 12:23 PM

Hello NoVaT and welcome to Bleeping Computer! :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. :thumbup2:

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

-------------

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure Advanced Mode is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck Resident TeaTimer and OK any prompts
You can re-enable TeaTimer once your system is clean.

-------------

Please download to your Desktop:
  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

In your next reply, please include the following (you may need to use two posts to get it all in):
  • TDSSKiller_log.txt
how the PC is running now?


-------------

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.
Also, please let me know if any problems still remain.

-------------

Please download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-------------

In your next reply, please include:
  • TDSSKiller logfile
  • C:\ComboFix.txt
  • Security Check checkup.txt

How is your computer running now?
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#3 NoVaT

NoVaT
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 22 June 2011 - 03:32 PM

Mr. Brown,
Thank you for the assistance. The computer seems to be running pretty well. I did get a blue screen yesterday before running the tests you had me run today. It indicated some kind of memory failure, I did not write down the exact message. Here are the results you requested.

Attached Files



#4 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:06:49 AM

Posted 22 June 2011 - 04:31 PM

Do you recognize this site? iolo.net

--------

Please do the following:
  • Please download aswMBR.exe from here and save it to your Desktop.
  • Double click aswMBR.exe to start the tool. (Vista - Win 7 Rt click to run as Administrator)
  • Click Scan
  • Upon completion of the scan, click Save log and save it to your Desktop, and post that log in your next reply. Do NOT attempt any Fix at this time!
  • This will also create a file on your Desktop named MBR.dat. Right click that file and select Send To->Compressed (zipped) folder. Attach that zipped folder in your next reply as well.

--------

I'm not seeing anything particularly suspisious in your logs. Let's run some more scans to give us a better look :wink: :

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

--------

Please include the ESET Online Scan log, as well as the aswMBR log and MBR.dat Zip file in your next reply. :)

How is your computer running now?
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#5 NoVaT

NoVaT
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 24 June 2011 - 09:00 PM

Thanks again for the help. I was previously using IOLO for my antivirus, kept it up to date, and have been infected twice so I figured I would move on. Is that why you were asking?

Here are the logs you requested. The system has been running ok. No visible problems. If you look in my original post I did run the ESET scan and it found and removed a bunch of stuff prior to me posting in this area. I appreciate having someone who knows more than me take a look and tell me everything looks fine.

Attached Files



#6 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:06:49 AM

Posted 25 June 2011 - 12:49 AM

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file/s for analysis: You will only be able to have one file scanned at a time.

C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe

Then click Submit. Allow the file to be scanned, and then please copy/paste the results here for me to see.

If Jotti is busy, please go to http://www.virustotal.com,
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#7 NoVaT

NoVaT
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 25 June 2011 - 06:55 AM

Here are the results, thanks.

Filename: WRTray.exe
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Sat 25 Jun 2011 13:47:54 (CET)

Filename: iPodService.exe
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Sat 25 Jun 2011 13:51:11

Filename: firefox.exe
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Sat 25 Jun 2011 13:53:31 (CET)

Edited by NoVaT, 25 June 2011 - 07:35 AM.


#8 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:06:49 AM

Posted 25 June 2011 - 03:19 PM

I'm afraid I have very bad news.

W32/Small.Mangdel (and related variants) is a dangerous file infector which infects .exe and screensaver .SCR files, and sometimes opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. As you have discovered, this leaves many of your otherwise legitimate programs dysfunctional, and error-laden, leaving them crippled.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer W32/Small.Mangdel remains on a computer, the more files it infects and corrupts so the degree of damage can vary.
itself. The infection is often contracted from Network and Removable Drives.

In my opinion, Mangdel is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
Reimaging the system
Restoring the entire system using a full system backup from before the backdoor infection
Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That's right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


--------

NOTE: I would exercise great caution in attempting to save any of your personal data. Do NOT try to save any executable (.exe) or screensaver (.SCR) files. You may be able to save any music, photos, and document files; make sure you scan them with an antivirus program first, though.

--------

Regards,
-DFB
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#9 NoVaT

NoVaT
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 26 June 2011 - 02:04 AM

Which of these scans did that show up on? Was it the ESET scan in my other thread? I just wanted to make sure of how you same to this conclusion.

#10 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:06:49 AM

Posted 26 June 2011 - 11:14 AM

Both the ESET scan in your other thread, and the one here, as well as the symptoms you were describing (corrupt programs, etc.).
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#11 NoVaT

NoVaT
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 26 June 2011 - 04:41 PM

Thank you for your time and advice. I appreciate it.

#12 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:06:49 AM

Posted 26 June 2011 - 05:10 PM

You are welcome. :)
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#13 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:06:49 AM

Posted 26 June 2011 - 05:10 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#14 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:06:49 AM

Posted 26 June 2011 - 08:30 PM

This topic has been re-opened at the request of the person who originally posted.
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#15 NoVaT

NoVaT
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 27 June 2011 - 07:57 PM

Here are the most recent ESET scan results. Sorry about the error posting the old log. If you don't delete the old log from the ESET folder it does not overwrite with the new one on subsequent scans.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=4c1a45b71d9e9748b8aac9b5557a6679
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-06-27 11:45:13
# local_time=2011-06-27 07:45:13 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 30670911 30670911 0 0
# compatibility_mode=8192 67108863 100 0 29827181 29827181 0 0
# compatibility_mode=9217 16777214 75 70 796438 7865872 0 0
# scanned=272261
# found=0
# cleaned=0
# scan_time=6554




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users