Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Relocated: BSOD (Stop:c000021A) on XP Pro OS &Networked PC


  • This topic is locked This topic is locked
80 replies to this topic

#76 Lapua1941

Lapua1941
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 20 December 2012 - 04:44 PM

Unfortunately, I had uninstalled it prior to your post. I found some cookies for it and deleted them but no dice. Hey, hold on....I just retried via the non-IE download path and it is going forward with the scan. More later!

Edited by Lapua1941, 20 December 2012 - 04:53 PM.


BC AdBot (Login to Remove)

 


#77 Lapua1941

Lapua1941
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 20 December 2012 - 06:49 PM

Below is the ESET scan log:
-----------------------------------------------------------------------
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirusPro2.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirusPro5.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\Linda Bowers\Local Settings\Temp\maf1E.tmp a variant of Win32/Kheagol.H trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\vgrw.dll a variant of Win32/Kheagol.O trojan cleaned by deleting - quarantined

#78 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:07 PM

Posted 20 December 2012 - 08:08 PM

Hi Jim,

Excellent work. No matter how we go about it, the goal was to run ESET. Were you able to install and antivirus program and update Internet Explorer?

One of the items identified by ESET is a variant of Win32/Kheagol.O trojan. This may be the reason you had to reinstall XP. This is the only evidence I have seen of this infection meaning it is a remnant and not an active infection. However, in its prime this infection is known as a Backdoor Trojan. If you had an active infection I would provide you with the following warning. Because these types of infections can never be guaranteed to be cleaned absent a reformat (not reinstall) I am posting the information for your review. Again, so as not to unnecessarily alarm you, I don't see any other evidence pointing to an active infection. Here is my normal speech:

===================================================


BACKDOOR WARNING!

--------------------

One or more of the identified infections is a Backdoor Trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Please let me know if you have already noticed evedences of financial institution irregularities.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


How is your computer behaving? Is there anything left that concerns you?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#79 Lapua1941

Lapua1941
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 21 December 2012 - 12:16 PM

Hey Oh My,

I think we are good on this one; IE8 upgrade and MSE are now on the machine. And all seems to be working. Thanks for the info on that trojan, and for the prespective of remnant vs. active agent. We'll discuss that here to see what action, if any, we feel may be needed.

Let me thank you again for all the help; the upside to all of this is some increased knowledge of this type of recovery on our en. Fortunately, it does not happen often; but that measn this new knowledge is easy to lose if not used regularly. Your day-to-day work in this certainly makes your insight and knowledge valuable, and it is appreciated more than we can express. Many thanks and regards,

Jim

#80 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:07 PM

Posted 21 December 2012 - 01:27 PM

Hi Jim,

It has been a pleasure working with you and your Dad. :)


Now that you are reporting your computer is running well it is my great pleasure to tell you the Good News!


===================================================


All Clean

--------------

Your machine appears to be clean. Please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :thumbsup:

Please do the following to remove the remaining tools we used from your PC:

Removing Combofix and Other Tools

--------------------

Please do the following to delete ComboFix:

  • Press windows key Posted Image + r on your keyboard at the same time
  • Type combofix /uninstall and press enter and type combofix /uninstall, press enter.

Posted Image


This will remove Combofix and other tools we used from your computer.


----------


Please do the following to delete OTL:

  • Delete the tools used during the disinfection:

  • Double click Posted Image on your desktop
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the Posted Image
  • Say Yes to the prompt and then allow the program to reboot your computer

----------


Please read the following in order to prevent reinfecting your PC:

  • Install and update the following programs regularly:

    • Outbound firewall.
      If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
  • Keep Windows (and your other Microsoft software) up to date!

    • I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    • Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well

    • Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine
    .
  • Stay up to date!

    • The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
Some more links you might find of interest:


We will leave this topic open for just a few days in case you have any further issues then it will be closed shortly thereafter.

Thank you for placing your trust in BleepingComputer. It was a pleasure serving you. Posted Image
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#81 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:07 PM

Posted 23 December 2012 - 02:53 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users