Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No internet after Trojan.Dropper.PE4 cleaned!!!


  • This topic is locked This topic is locked
2 replies to this topic

#1 kgbadger

kgbadger

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 30 January 2012 - 02:47 PM

Got nailed this morning with doozy...

Malware-Bytes got most of it with a standard scan, but required a reboot...

Memory Processes Detected: 4
C:\Users\Gee\AppData\Local\Temp\~!#AD22.tmp (Trojan.Dropper.PE4) -> 1828 -> Delete on reboot.
C:\Users\Gee\AppData\Roaming\4CBA8\05CE7.exe (Trojan.Dropper.PE4) -> 5016 -> Delete on reboot.
C:\Users\Gee\AppData\Roaming\A87EC\lvvm.exe (Trojan.Dropper.PE4) -> 4684 -> Delete on reboot.
C:\Users\Gee\AppData\Roaming\firefox.exe (Trojan.Dropper.PE4) -> 5800 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\AFD (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Detected: 3
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Backdoor.CycBot) -> Data: C:\Users\Gee\AppData\Roaming\A87EC\lvvm.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Hijack.Shell.Gen) -> Data: explorer.exe,C:\Users\Gee\AppData\Roaming\4CBA8\05CE7.exe -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|D7D.exe (Backdoor.CycBot) -> Data: C:\Program Files\LP\E724\D7D.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Dropper.PE4) -> Bad: (C:\Users\Gee\AppData\Roaming\A87EC\lvvm.exe) Good: () -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 7
C:\Users\Gee\AppData\Local\Temp\~!#AD22.tmp (Trojan.Dropper.PE4) -> Delete on reboot.
C:\Users\Gee\AppData\Roaming\4CBA8\05CE7.exe (Trojan.Dropper.PE4) -> Delete on reboot.
C:\Users\Gee\AppData\Roaming\A87EC\lvvm.exe (Trojan.Dropper.PE4) -> Delete on reboot.
C:\Users\Gee\AppData\Roaming\firefox.exe (Trojan.Dropper.PE4) -> Quarantined and deleted successfully.
C:\Users\Gee\AppData\Roaming\Microsoft\E724\4904.tmp (Trojan.Dropper.PE4) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\afd.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\LP\E724\D7D.exe (Backdoor.CycBot) -> Quarantined and deleted successfully.




After reboot, I cannot find AVG (system restore says it was uninstalled)and cannot get on the internet to complete the reinstall. All system restore options have failed due to a 'corrupt' restore file.

I have done a reset of all Winsock files and even a sfc scan/rebuild which included some repairs to system repair processes

I have noticed my network adapter trying to connect as an IP that is not supported inside the range of my router. Manual IP addressing allows access only to home network, but not out to internet.

Farbar report below. Please help

Farbar Service Scanner Version: 18-01-2012 01
Ran by Gee (administrator) on 30-01-2012 at 14:34:47
Microsoft Windows 7 Home Premium Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open afd registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open afd registry key. The service key does not exist.


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:08 AM

Posted 31 January 2012 - 04:35 PM

Hello kgbadger,

Do you still have the issues you are describing? If no please update me about the current issues.

If you still have the same issues please delete your copy of Farbar Service Scanner and download Farbar Service Scanner and run it on the computer with the issue.
  • Check all the boxes.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:08 AM

Posted 04 February 2012 - 08:31 AM

This thread will now be closed due to lack of activity.

If you need this topic reopened, please send me a Private Message and I will reopen it for you.

If you should have a new issue, please start a new topic.

Every one else should start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users