Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bouncing Box after Internet Security XP Removal


  • This topic is locked This topic is locked
39 replies to this topic

#1 loetz

loetz

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 03 March 2012 - 07:47 AM

Hello, All:

Yesterday I was infected with the Internet Security XP malware from this page:
hxxp://answers.microsoft.com/en-us/windows/forum/windows_vista-system/how-can-i-fix-vista-internet-security-2012-error/c3fb62ff-3a9d-41db-8485-6d00df1f7139

I immediatly renamed my copy of malwarebytes to explorer, launched it, and ran a scan. It found a few things so I had it fixed and did a reboot. Afterwards I couldn't get XP to load. It goes to the loading screen and then restarts all over again. I can't even get the machine to load into safemode with networking. It WILL load into safemode without networking, but that's it. I ran malwarebytes again in safemode and it found a couple more errors. I had those fixed, rebooted again into safemode, and did another scan. This time it came up clean, but I still cant load in normal mode or safemode with networking. I ran the malwarebytes scan a couple more times and it still keeps coming up with nothing.

I also tried system restore after all of this, but it wouldn't work. Still did more scans with malwarebytes. Still found nothing.

Any ideas?

Edited by gringo_pr, 04 March 2012 - 02:10 AM.


BC AdBot (Login to Remove)

 


#2 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:03:10 AM

Posted 06 March 2012 - 07:27 PM

Hello loetz ,

My name is ratman and and I will be helping you with your computer problems.

Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:

  • Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.
  • Please do not do anything or perform other steps unless I have asked you to do so.
  • Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.

====================================================================================

Do you have your original install cd?

You will need a usb/flash drive to continue with the following.

Using a clean pc:


This will stop cross infection:

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Windows Vista and Windows 7 users
Flash Disinfector is not compatible with the above Windows version.
Please, use Panda USB Vaccine, or BitDefender's USB Immunizer

=============================================================================

I need to see some information about what is happening in your machine.
  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your flash drive.
  • Transfer this to your infected machine.
  • Boot infected machine in safe mode.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Copy results to flash drive and post in your next reply.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your flash drive:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Transfer the randomly named GMER file (i.e. n7gmo46c.exe. to your infected machine
  • Boot infected machine in safe mode.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Please uncheck the following settings that we do not want in our scan.
    • IAT/EAT
    • Drives/Partition other yhan Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your flash drive. Save the file as gmer.log.
  • Copy results to flash drive and post in your next reply.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.


In your next reply, please copy/paste the contents of the following:
  • DDS.txt
  • Attach.txt
  • gmer.log

Edited by ratman, 06 March 2012 - 07:31 PM.

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#3 loetz

loetz
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 07 March 2012 - 01:32 PM

I probably have the XP cd somewhere in a box someplace full of things that I didn't unpack when I move, but I'd really rather not search for it if I don't have to. I will if it's needed.

I have attached the logs to this message.

Thank you very much for the help!

Attached Files



#4 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:03:10 AM

Posted 08 March 2012 - 10:11 AM

Hello loetz ,

I probably have the XP cd somewhere in a box someplace full of things that I didn't unpack when I move, but I'd really rather not search for it if I don't have to.

Been there :). Let's see how we go.

Please download ComboFix from the followingl location:[*]Save to USB and transfer to your infected machine.
* IMPORTANT !!! Save ComboFix.exe to your Desktop.
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on Combofix icon Posted Image & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

In your next reply, please copy/paste, rather than attach (easier for me to red), the contents of the following:
  • C:\Combofix.txt
How is your machine now? Can you boot in normal mode?

Edited by ratman, 08 March 2012 - 10:26 AM.
Added question

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#5 loetz

loetz
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 08 March 2012 - 12:22 PM

I ran combofix and it prompted me to install recovery, but I couldn't install it because I could only boot into safe mode. Not even safe mode with networking. This means that I can't download the files needed.

I let it go ahead and do a scan anyway (wondering now if I shouldn't have), and it told me that I have a rootkey problem. It prompted me to restart.

This time it actually booted into normal mode! It did some more things and then rebooted again. Now it's running in normal mode and it seems to be fine.

Here is the log:

ComboFix 12-03-08.02 - nloetz 03/08/2012 17:31:02.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1671 [GMT 1:00]
Running from: c:\documents and settings\nloetz\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Autorun.inf
c:\documents and settings\All Users\Application Data\~ibfcO1U63TWRSe
c:\documents and settings\All Users\Application Data\~ibfcO1U63TWRSer
c:\documents and settings\All Users\Application Data\ibfcO1U63TWRSe
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\nloetz\Local Settings\Application Data\c55a290e\U
c:\documents and settings\nloetz\Local Settings\Application Data\c55a290e\U\80000000.@
c:\documents and settings\nloetz\Local Settings\Application Data\c55a290e\U\800000cb.@
c:\documents and settings\nloetz\Local Settings\Application Data\c55a290e\U\800000cf.@
c:\windows\$NtUninstallKB5035$
c:\windows\$NtUninstallKB5035$\3311020302\@
c:\windows\$NtUninstallKB5035$\3311020302\L\uqiioyjr
c:\windows\$NtUninstallKB5035$\3311020302\loader.tlb
c:\windows\$NtUninstallKB5035$\3311020302\U\@00000001
c:\windows\$NtUninstallKB5035$\3311020302\U\@000000c0
c:\windows\$NtUninstallKB5035$\3311020302\U\@000000cb
c:\windows\$NtUninstallKB5035$\3311020302\U\@000000cf
c:\windows\$NtUninstallKB5035$\3311020302\U\@80000000
c:\windows\$NtUninstallKB5035$\3311020302\U\@800000c0
c:\windows\$NtUninstallKB5035$\3311020302\U\@800000cb
c:\windows\$NtUninstallKB5035$\3311020302\U\@800000cf
c:\windows\$NtUninstallKB5035$\669787266
c:\windows\system32\dds_log_trash.cmd
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\mstmdm.dll
c:\windows\system32\mswmpdat.tlb
c:\windows\system32\SET188.tmp
c:\windows\system32\SET18C.tmp
c:\windows\system32\SET18D.tmp
c:\windows\system32\SET194.tmp
c:\windows\system32\shimg.dll
c:\windows\system32\winview.ocx
.
Infected copy of c:\windows\system32\drivers\mrxsmb.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2012-02-08 to 2012-03-08 )))))))))))))))))))))))))))))))
.
.
2012-03-08 16:26 . 2008-10-24 11:41 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-03-02 20:11 . 2012-03-08 16:37 -------- d-sh--w- c:\documents and settings\nloetz\Local Settings\Application Data\c55a290e
2012-02-25 20:24 . 2012-02-25 20:24 -------- d--h--w- c:\windows\PIF
2012-02-25 12:53 . 2012-02-25 12:53 -------- d-----w- c:\documents and settings\nloetz\Application Data\Malwarebytes
2012-02-25 12:53 . 2012-02-25 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-25 12:53 . 2012-03-02 20:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-25 12:53 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-23 19:42 . 2012-02-23 19:42 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-02-23 19:41 . 2012-02-23 19:41 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-02-23 18:29 . 2012-02-25 21:23 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2012-02-23 18:13 . 2012-02-25 09:56 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-02-23 18:13 . 2012-02-25 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-08 16:55 . 2010-01-27 13:00 4208 ----a-w- C:\LAPPY.vbs
2012-03-08 16:55 . 2010-01-27 08:16 4208 --sha-r- c:\windows\system32\LAPPY.vbs
2012-02-17 19:11 . 2011-05-09 18:08 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-08-17 . D24EA301E2B36C4E975FD216CA85D8E7 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\TCPIP.SYS
[-] 2010-08-17 . D24EA301E2B36C4E975FD216CA85D8E7 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\TCPIP.SYS
[7] 2008-08-21 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2009-08-05 224712]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-09-04 25623336]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-29 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-29 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-29 137752]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"LAPPY"="c:\windows\SYSTEM32\LAPPY.vbs" [2012-03-08 4208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-31 460872]
.
c:\documents and settings\nloetz\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11349:TCP"= 11349:TCP:BitComet 11349 TCP
"11349:UDP"= 11349:UDP:BitComet 11349 UDP
"11985:TCP"= 11985:TCP:BitComet 11985 TCP
"11985:UDP"= 11985:UDP:BitComet 11985 UDP
"15559:TCP"= 15559:TCP:BitComet 15559 TCP
"15559:UDP"= 15559:UDP:BitComet 15559 UDP
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/27/2009 7:09 PM 722416]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/25/2012 1:53 PM 652360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/25/2012 1:53 PM 20464]
S0 ysdhcrm;ysdhcrm;c:\windows\system32\drivers\ttrowje.sys --> c:\windows\system32\drivers\ttrowje.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/4/2010 6:08 PM 135664]
S3 filtertdidriver;filtertdidriver;c:\windows\system32\drivers\ewfiltertdidriver.sys --> c:\windows\system32\drivers\ewfiltertdidriver.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/4/2010 6:08 PM 135664]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys --> c:\windows\system32\DRIVERS\ewusbdev.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
se45bus
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-04 17:08]
.
2012-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-04 17:08]
.
2012-03-03 c:\windows\Tasks\Marie Laforete - Ivan, Boris Et Moi.job
- c:\music\Grizzly Bear - Veckatimest\01 - Southern Point.mp3 [2009-07-19 10:16]
.
2011-06-25 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2011-01-07 18:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.bbc.co.uk/
uWindow Title = Hacked by LAPPY
uInternet Connection Wizard,ShellNext = iexplore
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 212.186.211.21 195.34.133.21
DPF: {2B95F1D5-8CEE-482C-9471-3DFB74D99BDB} - hxxp://fizzweb.biosystemes.com/FizzW.ocx
FF - ProfilePath - c:\documents and settings\nloetz\Application Data\Mozilla\Firefox\Profiles\2tnkz0gr.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Spybot-S&D Cleaning - c:\program files\Spybot - Search & Destroy 2\SDCleaner.exe
SSODL-UpdateCheck-{D093C990-16E5-45BC-9A14-C3F740133097} - c:\windows\system32\mstmdm.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-08 17:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2916)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\System32\WScript.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2012-03-08 17:59:03 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-08 16:58
.
Pre-Run: 1,406,681,088 bytes free
Post-Run: 2,034,688,000 bytes free
.
- - End Of File - - 48008558C5D38381525F4CE692742126

#6 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:03:10 AM

Posted 08 March 2012 - 12:46 PM

Hello loetz ,

Good start.

Backdoor Warning

One or more of the identified infections (ZeroAccess) is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.

====================================================================================


Going over your logs I noticed that you have BitComet installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall BitComet, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

====================================================================================

DDS has shown suspicious files.

I'd like you to send this to VirusTotal for checking:
  • Go to VirusTotal
  • Click on Browse... button on the open page
  • Navigate to c:\windows\system32\drivers\TCPIP.SYS in File Upload window
  • Click Open
  • File location should now appear in VirusTotal Browse window
  • Click Send
  • Repeat for c:\windows\system32\drivers\ttrowje.sys
  • Repeat for c:\windows\system32\mstmdm.dll

Can you copy the page address of VirusTotal's responses in your next reply.

================================================================================

I'd like you to run a scan with aswMBR
Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

====================================================================================

In your next reply, please copy/paste the contents of the following:
  • aswMBR Log
  • VirusTotal reports

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#7 loetz

loetz
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 08 March 2012 - 01:09 PM

:/

I suppose that I could just format it.

If I back up all of the important files on an external drive, is there any concern that I will spread the infection?

#8 loetz

loetz
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 08 March 2012 - 01:33 PM

Ok, I just found the XP install CD.

It's been a while since I've done a format. Maybe you can refresh me. I used to use FDisk I think, but that was years back.

#9 loetz

loetz
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 08 March 2012 - 02:13 PM

Ok, and I just noticed the reinstall FAQ. I'll use that for information.

But still, do you think I'll be ok to back up files onto an external?

#10 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:03:10 AM

Posted 08 March 2012 - 05:56 PM

Hi loetz,

We can still clean this machine of all active malware.

The decision to reformat is yours to make - I can help with that if you wish.

Since we now have your machine in a working state, I would recommend that we continue with the cleaning process to ensure that any files you wish to back up are clean.

How would you like to proceed?
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#11 loetz

loetz
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 09 March 2012 - 09:35 AM

I hope this is what you were looking for:

SHA256: ea29e49434585409272e7901af89771fe9d6e911a7dc44ab3c7020cff8a44552
File name: tcpip.sys
Detection ratio: 0 / 43
Analysis date: 2012-03-07 21:00:22 UTC ( 1 day, 17 hours ago )
2
0
Antivirus Result Update
AhnLab-V3 - 20120307
AntiVir - 20120307
Antiy-AVL - 20120305
Avast - 20120307
AVG - 20120307
BitDefender - 20120307
ByteHero - 20120305
CAT-QuickHeal - 20120307
ClamAV - 20120307
Commtouch - 20120307
Comodo - 20120307
DrWeb - 20120307
Emsisoft - 20120307
eSafe - 20120305
eTrust-Vet - 20120307
F-Prot - 20120307
F-Secure - 20120307
Fortinet - 20120305
GData - 20120307
Ikarus - 20120307
Jiangmin - 20120301
K7AntiVirus - 20120306
Kaspersky - 20120307
McAfee - 20120307
McAfee-GW-Edition - 20120307
Microsoft - 20120307
NOD32 - 20120307
Norman - 20120304
nProtect - 20120307
Panda - 20120307
PCTools - 20120228
Prevx - 20120307
Rising - 20120307
Sophos - 20120307
SUPERAntiSpyware - 20120307
Symantec - 20120305
TheHacker - 20120307
TrendMicro - 20120306
TrendMicro-HouseCall - 20120307
VBA32 - 20120307
VIPRE - 20120307
ViRobot - 20120307
VirusBuster - 20120307

#12 loetz

loetz
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 09 March 2012 - 10:28 AM

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-09 15:37:19
-----------------------------
15:37:19.656 OS Version: Windows 5.1.2600 Service Pack 3
15:37:19.656 Number of processors: 2 586 0xF0D
15:37:19.656 ComputerName: LAPPY UserName:
15:37:20.406 Initialize success
15:47:34.437 AVAST engine defs: 12030801
15:57:27.750 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
15:57:27.750 Disk 0 Vendor: ST980411ASG DE14 Size: 76319MB BusType: 3
15:57:27.765 Disk 0 MBR read successfully
15:57:27.781 Disk 0 MBR scan
15:57:27.828 Disk 0 Windows XP default MBR code
15:57:27.828 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76316 MB offset 63
15:57:27.828 Disk 0 scanning sectors +156296385
15:57:27.890 Disk 0 scanning C:\WINDOWS\system32\drivers
15:57:36.171 Service scanning
15:57:45.234 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
15:57:48.953 Modules scanning
15:57:53.968 Disk 0 trace - called modules:
15:57:53.984 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys spnp.sys hal.dll >>UNKNOWN [0x89df4938]<<
15:57:54.328 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89da1ab8]
15:57:54.328 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x89d5bd98]
15:57:55.218 AVAST engine scan C:\WINDOWS
15:58:04.203 AVAST engine scan C:\WINDOWS\system32
16:00:23.875 AVAST engine scan C:\WINDOWS\system32\drivers
16:00:37.625 AVAST engine scan C:\Documents and Settings\nloetz
16:20:57.593 File: C:\Documents and Settings\nloetz\My Documents\cd backup\cakewalk cd key.exe **INFECTED** Win32:GnuMan
16:22:00.531 AVAST engine scan C:\Documents and Settings\All Users
16:23:01.000 Scan finished successfully
16:23:57.671 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\nloetz\Desktop\MBR.dat"
16:23:57.671 The log file has been saved successfully to "C:\Documents and Settings\nloetz\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-09 15:37:19
-----------------------------
15:37:19.656 OS Version: Windows 5.1.2600 Service Pack 3
15:37:19.656 Number of processors: 2 586 0xF0D
15:37:19.656 ComputerName: LAPPY UserName:
15:37:20.406 Initialize success
15:47:34.437 AVAST engine defs: 12030801
15:57:27.750 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
15:57:27.750 Disk 0 Vendor: ST980411ASG DE14 Size: 76319MB BusType: 3
15:57:27.765 Disk 0 MBR read successfully
15:57:27.781 Disk 0 MBR scan
15:57:27.828 Disk 0 Windows XP default MBR code
15:57:27.828 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76316 MB offset 63
15:57:27.828 Disk 0 scanning sectors +156296385
15:57:27.890 Disk 0 scanning C:\WINDOWS\system32\drivers
15:57:36.171 Service scanning
15:57:45.234 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
15:57:48.953 Modules scanning
15:57:53.968 Disk 0 trace - called modules:
15:57:53.984 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys spnp.sys hal.dll >>UNKNOWN [0x89df4938]<<
15:57:54.328 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89da1ab8]
15:57:54.328 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x89d5bd98]
15:57:55.218 AVAST engine scan C:\WINDOWS
15:58:04.203 AVAST engine scan C:\WINDOWS\system32
16:00:23.875 AVAST engine scan C:\WINDOWS\system32\drivers
16:00:37.625 AVAST engine scan C:\Documents and Settings\nloetz
16:20:57.593 File: C:\Documents and Settings\nloetz\My Documents\cd backup\cakewalk cd key.exe **INFECTED** Win32:GnuMan
16:22:00.531 AVAST engine scan C:\Documents and Settings\All Users
16:23:01.000 Scan finished successfully
16:23:57.671 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\nloetz\Desktop\MBR.dat"
16:23:57.671 The log file has been saved successfully to "C:\Documents and Settings\nloetz\Desktop\aswMBR.txt"
16:25:51.234 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\nloetz\Desktop\MBR.dat"
16:25:51.312 The log file has been saved successfully to "C:\Documents and Settings\nloetz\Desktop\aswMBR.txt"

#13 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:03:10 AM

Posted 09 March 2012 - 10:59 AM

Hello loetz ,

I want you to run TDSSKiller:

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.5.9.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

===================================================================================



In your next reply, please copy/paste the contents of the following:
  • TDSSKiller Log


How is your machine now?
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#14 loetz

loetz
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 10 March 2012 - 09:19 AM

I did the TDSS scan and it found the sptd file to be suspicious, but it didn't give me the option to cure. It gives me these three options: Skip, copy to quarantine, and delete. What should I do?

#15 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:03:10 AM

Posted 11 March 2012 - 06:09 AM

Can you copy/paste TDSSKiller.log in your next reply please?
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users