Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sasser worm, trojan, virus infections


  • Please log in to reply
7 replies to this topic

#1 AshleyBeth24

AshleyBeth24

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:New Jersey, USA
  • Local time:06:35 PM

Posted 27 June 2012 - 09:49 AM

Good afternoon,

I am running WinXP 32-bit on a self-built PC. In the process of switching from AVG to Avast and back, I apparently had a gap of no antivirus protection for several days (in which my boyfriend had been using the internet, both of us unaware). At first there were 2 icons in the system tray impersonating AVG and Avast - both read 'Scanning in progress...' but never did anything. To be safe I manually removed both AVG and Avast via the Control Panel and deleted all associated folders. I also had multiple instances of iexplorer.exe running in the background, whereas I only use Firefox. Windows Explorer kept crashing every 3-4mins, and my internet connection was disabled.

I rebooted in Safe Mode and ran CCleaner, MBAM & SuperAntiSpyware scans. These found and removed 2 trojans, along with a hundred tracking cookies. CCleaner found a ton of garbage and missing file associations as well. I then modified msconfig and disabled several BS RAM-suckers like Java, Google and Creative software updater programs (which I know for a fact I had previously disabled). Going back into Windows in normal mode, the fake icons in the system tray for AVG and Avast are gone now; however, daemonu.exe and ping.exe are still running in the Task Manager, which I have never seen previously. Ping.exe repeatedly reopens when I close both instances. I am also now receiving a system error that there is a problem with C:\WINDOWS\System32\lsass.exe, and the computer is forced to shut down after a 60-second countdown. From what I've read, this is a prime indicator of the W.32 Sasser worm. (Yes yes, I am a dumb@$$.)

Any help is appreciated for this monumental goof-up :( Thank you!!

BC AdBot (Login to Remove)

 


#2 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:35 PM

Posted 27 June 2012 - 09:53 AM

  • Can you post the MBAM/SuperAntiSpyware log?
  • Is there any antivirus installed/active at the moment?

Please update MBAM and repeat the scan and post the new MBAM log.

Edited by ElFasso, 27 June 2012 - 09:54 AM.


#3 AshleyBeth24

AshleyBeth24
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:New Jersey, USA
  • Local time:06:35 PM

Posted 27 June 2012 - 09:58 AM

Wow, thank you for the super-fast reply ElFasso! I am at work on my work laptop right now but will post the MBAM and SuperAntiSpyware logs as soon as I get home this evening.

On my infected PC at home, I have disabled my internet to avoid any further infection (or passing it along) but I will be sure to update MBAM and SAS in Safe Mode and reply back with both logs. Thanks again!

#4 AshleyBeth24

AshleyBeth24
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:New Jersey, USA
  • Local time:06:35 PM

Posted 27 June 2012 - 09:38 PM

Good evening,

Below are the results from the latest SuperAntiSpyware scan. I am in the process of running an MBAM scan right now and will provide that log next.
===================================================================================================================================================

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/27/2012 at 10:24 PM

Application Version : 5.1.1002

Core Rules Database Version : 8810
Trace Rules Database Version: 6622

Scan type : Complete Scan
Total Scan Time : 03:30:26

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 276
Memory threats detected : 0
Registry items scanned : 27971
Registry threats detected : 0
File items scanned : 191542
File threats detected : 9

Adware.Tracking Cookie
C:\Documents and Settings\Ashley Beth\Cookies\PTWQIUAK.txt [ /ad.yieldmanager.com ]
.traffic.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY BETH\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\WV9QIH4I.DEFAULT\COOKIES.SQLITE ]
.traffic.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY BETH\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\WV9QIH4I.DEFAULT\COOKIES.SQLITE ]
.traffic.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY BETH\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\WV9QIH4I.DEFAULT\COOKIES.SQLITE ]
.traffic.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY BETH\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\WV9QIH4I.DEFAULT\COOKIES.SQLITE ]
.traffic.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY BETH\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\WV9QIH4I.DEFAULT\COOKIES.SQLITE ]
.traffic.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY BETH\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\WV9QIH4I.DEFAULT\COOKIES.SQLITE ]

Trojan.Agent/Gen-RogueShield
C:\QOOBOX\QUARANTINE\C\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\B7E8587A03D306350000239DD151FC4E\B7E8587A03D306350000239DD151FC4E.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BF018D58-BB79-4892-BFFC-31818CBD6F00}\RP844\A0206892.EXE

#5 AshleyBeth24

AshleyBeth24
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:New Jersey, USA
  • Local time:06:35 PM

Posted 28 June 2012 - 07:20 AM

Good morning,

Here are the results from the MBAM scan in Safe Mode.
=================================================================

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.28.02

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Ashley Beth :: MINE [administrator]

6/27/2012 10:35:07 PM
NEW MBAM log 062712

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 499921
Time elapsed: 1 hour(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 29
C:\Qoobox\Quarantine\C\Documents and Settings\Ashley Beth\Application Data\meapl.dll.vir (Trojan.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\Documents and Settings\Ashley Beth\Local Settings\Application Data\{65dfbb88-538f-c275-ebba-4207a4904cf5}\n.vir (Trojan.Agent.MRGGen) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC\Desktop.ini.vir (Trojan.0access) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\Installer\{65dfbb88-538f-c275-ebba-4207a4904cf5}\n.vir (Trojan.Agent.MRGGen) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\Installer\{65dfbb88-538f-c275-ebba-4207a4904cf5}\U\00000008.@.vir (Trojan.Dropper.BCMiner) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\Installer\{65dfbb88-538f-c275-ebba-4207a4904cf5}\U\80000000.@.vir (Trojan.Sirefef) -> No action taken.
C:\System Volume Information\_restore{BF018D58-BB79-4892-BFFC-31818CBD6F00}\RP843\A0205391.ini (Trojan.0access) -> No action taken.
C:\System Volume Information\_restore{BF018D58-BB79-4892-BFFC-31818CBD6F00}\RP843\A0205395.ini (Trojan.0access) -> No action taken.
C:\System Volume Information\_restore{BF018D58-BB79-4892-BFFC-31818CBD6F00}\RP843\A0205406.ini (Trojan.0access) -> No action taken.
C:\System Volume Information\_restore{BF018D58-BB79-4892-BFFC-31818CBD6F00}\RP843\A0205426.ini (Trojan.0access) -> No action taken.
C:\System Volume Information\_restore{BF018D58-BB79-4892-BFFC-31818CBD6F00}\RP843\A0205435.ini (Trojan.0access) -> No action taken.
C:\System Volume Information\_restore{BF018D58-BB79-4892-BFFC-31818CBD6F00}\RP843\A0206435.ini (Trojan.0access) -> No action taken.
C:\System Volume Information\_restore{BF018D58-BB79-4892-BFFC-31818CBD6F00}\RP843\A0206759.ini (Trojan.0access) -> No action taken.
C:\System Volume Information\_restore{BF018D58-BB79-4892-BFFC-31818CBD6F00}\RP843\A0206766.ini (Trojan.0access) -> No action taken.
C:\System Volume Information\_restore{BF018D58-BB79-4892-BFFC-31818CBD6F00}\RP843\A0206773.ini (Trojan.0access) -> No action taken.
C:\System Volume Information\_restore{BF018D58-BB79-4892-BFFC-31818CBD6F00}\RP843\A0206780.ini (Trojan.0access) -> No action taken.
C:\System Volume Information\_restore{BF018D58-BB79-4892-BFFC-31818CBD6F00}\RP843\A0206785.ini (Trojan.0access) -> No action taken.
C:\System Volume Information\_restore{BF018D58-BB79-4892-BFFC-31818CBD6F00}\RP844\A0206791.ini (Trojan.0access) -> No action taken.
C:\System Volume Information\_restore{BF018D58-BB79-4892-BFFC-31818CBD6F00}\RP844\A0206793.exe (Trojan.XBuild) -> No action taken.
C:\System Volume Information\_restore{BF018D58-BB79-4892-BFFC-31818CBD6F00}\RP844\A0206794.exe (Trojan.XBuild) -> No action taken.
C:\System Volume Information\_restore{BF018D58-BB79-4892-BFFC-31818CBD6F00}\RP844\A0206795.exe (Trojan.XBuild) -> No action taken.
C:\System Volume Information\_restore{BF018D58-BB79-4892-BFFC-31818CBD6F00}\RP844\A0206796.exe (Trojan.XBuild) -> No action taken.
C:\System Volume Information\_restore{BF018D58-BB79-4892-BFFC-31818CBD6F00}\RP844\A0206801.ini (Trojan.0access) -> No action taken.
C:\System Volume Information\_restore{BF018D58-BB79-4892-BFFC-31818CBD6F00}\RP844\A0206832.ini (Trojan.0access) -> No action taken.
C:\System Volume Information\_restore{BF018D58-BB79-4892-BFFC-31818CBD6F00}\RP844\A0206842.ini (Trojan.0access) -> No action taken.
C:\System Volume Information\_restore{BF018D58-BB79-4892-BFFC-31818CBD6F00}\RP844\A0206849.ini (Trojan.0access) -> No action taken.
C:\System Volume Information\_restore{BF018D58-BB79-4892-BFFC-31818CBD6F00}\RP844\A0206855.ini (Trojan.0access) -> No action taken.
C:\System Volume Information\_restore{BF018D58-BB79-4892-BFFC-31818CBD6F00}\RP844\A0206860.ini (Trojan.0access) -> No action taken.
C:\System Volume Information\_restore{BF018D58-BB79-4892-BFFC-31818CBD6F00}\RP844\A0206893.dll (Trojan.Agent) -> No action taken.

(end)
=================================================================

Many thanks!

#6 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:35 PM

Posted 28 June 2012 - 09:34 AM

MBAM is finding the infections in the Quarantine of Combofix and into the System Recovery Files.

C:\Qoobox\Quarantine\ Quarantine of Combofix
C:\System Volume Information System Recovery Files

It's best to flush your system recovery points.

Did you run Combofix without someone from the 'Malware response team'? Because normally they will let you empty the quarantine by the uninstall command of Combofix.

#7 AshleyBeth24

AshleyBeth24
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:New Jersey, USA
  • Local time:06:35 PM

Posted 28 June 2012 - 11:05 AM

Hello,

Yes, I had run ComboFix previously, sorry for failing to mention this. I will go back and empty the Quarantine for ComboFix when I get home tonight (though I had thought it did so automatically when it prompted me to reboot, upon completion of the scan).

Would you be so kind as to advise how I may delete my system recovery points? According to Windows I don't actually have any.

Thanks again!

#8 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:35 PM

Posted 28 June 2012 - 11:14 AM

How the flush the Restore points;
  • Open the Start Menu.
  • Right click on the Computer button and click on Properties.
  • Click on the System Protection link.
  • Close the System window.
Posted Image

Click on the Configure button.
Posted Image

Click on the Delete button.
Posted Image

If you get a message, click Continue.

After this procedure, make a new Restore point.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users