Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus after reformat?


  • Please log in to reply
7 replies to this topic

#1 Someb0dy

Someb0dy

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 02 February 2012 - 08:17 PM

A while ago my PC had a backdoor trojan that did a lot of things like redirecting Google pages. I reformatted my PC and now I find that my PC is different than when it was virus-free:

1) My internet is slower now; I'm getting a lot of random ping when I play games.

2) When my PC was virus-free my Google search results always detected my location as Los Angeles. After getting the virus, my Google location kept changing and they were other countries. Now after the reformat, the location is in California but not Los Angeles. And when I reset my router the location keeps changing (though still in California). The other PCs in my house (connected to the same router) show the same locations.

Can anybody help me? Thanks.

My OS is Windows XP Service Pack 2 btw.

Edited by Someb0dy, 02 February 2012 - 08:20 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:50 AM

Posted 02 February 2012 - 08:21 PM

Hello lets take a little look.

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


Let's check for and confirm if there is an MBR (Master Boot Record) rootkit.


Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Someb0dy

Someb0dy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 02 February 2012 - 08:53 PM

Much thanks for helping me. Here are the logs:

MiniToolBox:
MiniToolBox by Farbar Version: 18-01-2012
Ran by User (administrator) on 02-02-2012 at 17:41:23
Microsoft Windows XP Professional Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================


127.0.0.1 localhost

========================= IP Configuration: ================================

VIA PCI 10/100Mb Fast Ethernet Adapter = Local Area Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : user-b253d98453

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : gateway.2wire.net



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : gateway.2wire.net

Description . . . . . . . . . . . : VIA PCI 10/100Mb Fast Ethernet Adapter

Physical Address. . . . . . . . . : 00-16-EC-72-F9-41

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.64

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.254

DHCP Server . . . . . . . . . . . : 192.168.1.254

DNS Servers . . . . . . . . . . . : 192.168.1.254

Lease Obtained. . . . . . . . . . : Thursday, February 02, 2012 4:31:37 PM

Lease Expires . . . . . . . . . . : Friday, February 03, 2012 4:31:37 PM

Server: home
Address: 192.168.1.254

Name: google.com
Addresses: 74.125.224.177, 74.125.224.178, 74.125.224.179, 74.125.224.180
74.125.224.176



Pinging google.com [74.125.224.242] with 32 bytes of data:



Reply from 74.125.224.242: bytes=32 time=24ms TTL=53

Reply from 74.125.224.242: bytes=32 time=15ms TTL=53



Ping statistics for 74.125.224.242:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 15ms, Maximum = 24ms, Average = 19ms

Server: home
Address: 192.168.1.254

Name: yahoo.com
Addresses: 209.191.122.70, 72.30.2.43, 98.137.149.56, 98.139.180.149



Pinging yahoo.com [98.137.149.56] with 32 bytes of data:



Reply from 98.137.149.56: bytes=32 time=112ms TTL=50

Reply from 98.137.149.56: bytes=32 time=26ms TTL=50



Ping statistics for 98.137.149.56:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 26ms, Maximum = 112ms, Average = 69ms

Server: home
Address: 192.168.1.254

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 16 ec 72 f9 41 ...... VIA PCI 10/100Mb Fast Ethernet Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.64 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.64 192.168.1.64 20
192.168.1.64 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.64 192.168.1.64 20
224.0.0.0 240.0.0.0 192.168.1.64 192.168.1.64 20
255.255.255.255 255.255.255.255 192.168.1.64 192.168.1.64 1
Default Gateway: 192.168.1.254
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================


System errors:
=============
Error: (02/02/2012 04:40:45 PM) (Source: SideBySide) (User: )
Description: Generate Activation Context failed for C:\Program Files\HP\Dfawep\bin\MFC80U.DLL.
Reference error message: The operation completed successfully.
.

Error: (02/02/2012 04:40:45 PM) (Source: SideBySide) (User: )
Description: Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC.
Reference error message: The referenced assembly is not installed on your system.
.

Error: (02/02/2012 04:40:45 PM) (Source: SideBySide) (User: )
Description: Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.

Error: (02/02/2012 01:26:01 PM) (Source: SideBySide) (User: )
Description: Generate Activation Context failed for C:\Program Files\HP\Dfawep\bin\MFC80U.DLL.
Reference error message: The operation completed successfully.
.

Error: (02/02/2012 01:26:01 PM) (Source: SideBySide) (User: )
Description: Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC.
Reference error message: The referenced assembly is not installed on your system.
.

Error: (02/02/2012 01:26:01 PM) (Source: SideBySide) (User: )
Description: Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.

Error: (02/02/2012 10:25:37 AM) (Source: SideBySide) (User: )
Description: Generate Activation Context failed for C:\Program Files\HP\Dfawep\bin\MFC80U.DLL.
Reference error message: The operation completed successfully.
.

Error: (02/02/2012 10:25:37 AM) (Source: SideBySide) (User: )
Description: Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC.
Reference error message: The referenced assembly is not installed on your system.
.

Error: (02/02/2012 10:25:37 AM) (Source: SideBySide) (User: )
Description: Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.

Error: (02/02/2012 10:15:41 AM) (Source: SideBySide) (User: )
Description: Generate Activation Context failed for C:\Program Files\Mozilla Firefox\components\browsercomps.dll.
Reference error message: The operation completed successfully.
.


Microsoft Office Sessions:
=========================


=========================== Installed Programs ============================

7-Zip 9.20
Adobe Flash Player 11 Plugin (Version: 11.1.102.55)
HP LaserJet P1000 series
HPCarePackCore (Version: 10.0.0.1)
HPCarePackProducts (Version: 1.0.0.1)
HPSSupply (Version: 2.1.1.0000)
Java Auto Updater (Version: 2.0.6.1)
Java™ 6 Update 30 (Version: 6.0.300)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft Office Professional Edition 2003 (Version: 11.0.5614.0)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Mozilla Firefox 10.0 (x86 en-US) (Version: 10.0)
MrvlUsgTracking (Version: 1.0.1)
MrvlUsgTracking (Version: 1.0.7)
Realtek AC'97 Audio (Version: 5.18)
VIA/S3G Display Driver
WebFldrs XP (Version: 9.50.7523)

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 33%
Total physical RAM: 446.42 MB
Available physical RAM: 295.83 MB
Total Pagefile: 1057.14 MB
Available Pagefile: 953.77 MB
Total Virtual: 2047.88 MB
Available Virtual: 1979.06 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:149.04 GB) (Free:143.28 GB) NTFS

========================= Users: ========================================

User accounts for \\USER-B253D98453

Administrator ASPNET Guest
HelpAssistant SUPPORT_388945a0 User

========================= Minidump Files ==================================

No minidump file found

**** End of log ****



mbr.exe:
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600AAJB-00PVA0 rev.00.07H00 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-1b

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:50 AM

Posted 02 February 2012 - 09:48 PM

Nice and tidy system!!

Please run one more

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
Click the "Scan" button to start scan:
Posted Image

On completion of the scan click "Save log", save it to your desktop and post in your next reply:
Posted Image

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Someb0dy

Someb0dy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 02 February 2012 - 10:18 PM

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-02 19:00:16
-----------------------------
19:00:16.593 OS Version: Windows 5.1.2600 Service Pack 2
19:00:16.593 Number of processors: 1 586 0x409
19:00:16.593 ComputerName: USER-B253D98453 UserName: User
19:00:17.406 Initialize success
19:06:44.265 AVAST engine defs: 12020202
19:09:22.953 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-1b
19:09:22.953 Disk 0 Vendor: WDC_WD1600AAJB-00PVA0 00.07H00 Size: 152627MB BusType: 3
19:09:22.968 Disk 0 MBR read successfully
19:09:22.968 Disk 0 MBR scan
19:09:23.046 Disk 0 Windows XP default MBR code
19:09:23.046 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152617 MB offset 63
19:09:23.062 Disk 0 scanning sectors +312560640
19:09:23.156 Disk 0 scanning C:\WINDOWS\system32\drivers
19:09:30.593 Service scanning
19:09:31.578 Modules scanning
19:09:39.078 Disk 0 trace - called modules:
19:09:39.109 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys PCIIDEX.SYS
19:09:39.109 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x843d3030]
19:09:39.140 3 CLASSPNP.SYS[f759005b] -> nt!IofCallDriver -> \Device\00000059[0x84394a68]
19:09:39.156 5 ACPI.sys[f7506620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T1L0-1b[0x843d4030]
19:09:39.531 AVAST engine scan C:\WINDOWS
19:09:42.843 AVAST engine scan C:\WINDOWS\system32
19:11:34.187 AVAST engine scan C:\WINDOWS\system32\drivers
19:11:48.000 AVAST engine scan C:\Documents and Settings\User
19:12:14.828 AVAST engine scan C:\Documents and Settings\All Users
19:12:18.046 Scan finished successfully
19:15:19.046 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
19:15:19.046 The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBR.txt"




So will the MBR just keep on laying on my desktop?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:50 AM

Posted 02 February 2012 - 10:52 PM

I still do not see one.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Someb0dy

Someb0dy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 03 February 2012 - 12:04 AM

C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\27\5d6255db-75312f80 a variant of Java/TrojanDownloader.Agent.NDJ trojan deleted - quarantined
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\50\13c9a6b2-1c42d3dd a variant of Java/TrojanDownloader.Agent.NDJ trojan deleted - quarantined
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\6\511051c6-606d283e multiple threats deleted - quarantined
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\63\375f92ff-6a0f70c3 multiple threats deleted - quarantined

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:50 AM

Posted 03 February 2012 - 02:43 PM

Ok, well I still see nothing real bad.. If your issues still persist then we need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Skip GMER and include the aswMBR log you posted earlier.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users