Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with unknown. Unable to open symantec website, pctools website, etc


  • This topic is locked This topic is locked
21 replies to this topic

#1 DelphiDev

DelphiDev

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 02 August 2011 - 04:21 PM

XP Pro system, SP2, running Comodo firewall, Avira, Windows Defender. Have run Mbam, SAS, CWshredder in safe mode. Have also run Panda and Sophos, OTscanIT, Asquared, RootRepeal, etc. After all this, I ran SDFix yesterday and it found and deleted a trojan in C:\Windows called '1.tmp'. Still unable to open www.symantec.com website. Unable to open www.pctools.com website. I've tried pinging those websites and get 'request timed out'. Believe this machine is still infected and I need help at this point. Thanks, guys.

Just to clarify the above... When booting up in safe mode with networking enabled, no problem reaching www.symantec.com or www.pctools.com. However, in normal bootup those sites - and others - are unreachable.

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 04 August 2011 - 10:42 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,626 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 09 August 2011 - 04:25 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resouce! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/412560 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


[b]As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:07 PM

Posted 10 August 2011 - 03:59 AM

Hello, if you still need help, please see the previous post for instructions on running DDS and GMER and post me the required logs. If you encounter any problem, just let me know.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 DelphiDev

DelphiDev
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 10 August 2011 - 09:48 AM

Thanks for getting to me on this. Still having problems...I believe it goes deeper than previously thought. It appears as if something has gained Group admin authority and is utilizing the windows installer folder for silent install. I ran Comodo on paranoid settings, opened Wordpad and found that it was trying to access a 'ddeexec' regkey that was to linked to 'ToPic'. Made a registry backup first then deleted that regkey. I turned off system restore, unplugged my network cable, uninstalled IE7 completely; rebooted in safe mode and ran Mbam and SAS and Piriform. Now I'm able to access the websites that were previously only available in safe mode w/networking. However, I believe the machine is still infected.

System: 32 bit XP Professional with Service Pack 2 and all recommended security updates. I have the original XP Pro install disc, but I want to avoid re-formatting this machine and re-installing everything if at all possible.

I've run defogger first and attached is the DDS.txt report and the GMER report as requested.

Attached Files

  • Attached File  DDS.txt   12.27KB   0 downloads


#5 DelphiDev

DelphiDev
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 10 August 2011 - 09:50 AM

And here's the GMER report...

Attached Files

  • Attached File  GMER.log   141.29KB   1 downloads


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:07 PM

Posted 10 August 2011 - 10:10 AM

System: 32 bit XP Professional with Service Pack 2

That is severely outdated, as Microsoft no longer supports this service pack. I strongly recommend you to update to service pack 3, however first lets make sure there are no active infections here.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 DelphiDev

DelphiDev
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 10 August 2011 - 10:35 AM

Thank you. TDSSKiller report, attached...

Attached Files



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:07 PM

Posted 10 August 2011 - 11:41 AM

Hi again,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 DelphiDev

DelphiDev
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 10 August 2011 - 03:52 PM

Thanks, Elise. Just ran Combofix and it looks like it found some things...report attached.

Attached Files



#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:07 PM

Posted 10 August 2011 - 03:55 PM

Hi, next lets update XP, then let me know how things are running.

UPDATE XP
--------------
Your Microsoft Windows installation is out of date. Using unpatched Windows systems on the Internet is a security risk to everyone. When there are insecure computers connected to the Internet, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, and spammers have more platforms from which to send e-mail. Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your computer. Keeping up-to-date with all these security patches will help prevent malware from reinfecting your machine. If you are not sure how to do this, see How to use Microsoft Update.

For additional information, be sure to read "Windows Xp Service Pack 3 (sp3) Information".

Then go here to check for & install updates to Microsoft applications.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.[/color]

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 DelphiDev

DelphiDev
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 10 August 2011 - 03:59 PM

Hi Elise. I totally get what you're saying about Service Pack 3. But there are some apps built with VB6 on this machine that simply don't work well with SP3. Must I install Service Pack 3 anyway? Thanks!

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:07 PM

Posted 10 August 2011 - 04:12 PM

Its your choice, but if you use this computer to go online I most definitely recommend to install SP3 and all latest updates in order to keep your computer secure. Otherwise the apps may work better, but you risk getting infected and that way you may compromise all data.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 DelphiDev

DelphiDev
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 16 August 2011 - 02:33 PM

Hi Elise. Just a quick update... I'm going to go ahead and put the VB apps that require SP2 on a different work station and upgrade this one to Service Pack 3 as you suggested. As soon as I've got that finished (probably tomorrow) I'll let you know so we can finish the process, ok? :-)

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:07 PM

Posted 16 August 2011 - 02:54 PM

Okay, thank you for letting me know, please take your time! :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 DelphiDev

DelphiDev
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 17 August 2011 - 04:56 PM

Hi Elise. Bad news. Just when I thought we were on the verge of disinfecting this pc, it looks like it's playing hardball with me now. Last night it crashed and upon boot up it said that it was missing 'NTLDR'. Using the XP Pro install disc I went into recovery console and was able to copy NTLDR to the C drive. Still didn't work. Then I did a more thorough review of the C drive and the D drive. They've been suddenly switched. So now the bootcfg file does not even know where the windows folder is. Is there a simple way to restore the drive letters? Help. :-)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users