Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem Malware


  • This topic is locked This topic is locked
13 replies to this topic

#1 jackiegreeno

jackiegreeno

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 11 March 2013 - 02:05 PM

 Dell Inspiron Windows XP, that I have given to my grandson (he lives with me and is 11 years old).  The other evening, while he was playing Roblox and was on Skype, programs just started not responding.  He couldn't shut down (control / alt / delete didn't work either) so he unplugged the machine.  The following morning the machine booted up what looked to be just fine.  Then realized that none of the programs responded.  Icon double click or right click open.  Again control / alt/ delete didn't work or shut down.  Manually shutting down worked.  Tried to start in safe mode with networking and it would not let me.  Kept coming back to the screen with the three paragraphs of possible problem scenarios.  Highlighted was start windows normally.  I chose to start at last known good configuration and was able to do that.  The PC worked for a while, then the sound went off.  Then the programs stopped responding.  At one point, (there were so many of them, I can't think of which time) I was able to do a malware bytes on my husband's user profile and it did find a few trojans.  My user profile just opens to my background picture....no icons...nothing else.  Do you think that this may be a virus?  This morning it opens nicely, but again won't even let me into control panel.

 

Today, on my husband's profile, everything locked up when I did start/ settings/ control panel.  After about 15 minutes, everything but the background disappeared (all icons etc)/

 

 



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:27 AM

Posted 14 March 2013 - 03:30 PM

Hello and welcome to BleepingComputer! 
 
 
 
I am Elle and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are used to identify the possible threats present on your system so I will analyze the results they produce. 
 
 
As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that aspect. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us. 
 
If you will encounter a delay of over 2 days from me, please don't hesitate and private message me (link in the signature). 
Do not forget to check your topic periodically and subscribe to it so that you can receive notifications regarding my replies.
 
 
 
Please generate other DDS logs (download it from here if you haven't already) and post them in your next reply along with other changes that may have occured since you last posted.
Also download and run GMER from this link: GMER download link.
 
 
 
Thank you very much for your patience. 
 
 
 
 
Regards,
 
Elle

Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 jackiegreeno

jackiegreeno
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 14 March 2013 - 03:55 PM

I am writing this from another computer.  The computer hasn't been touched since I first posted.  I have copied and pasted the links and will try to do it on the infected computer, but may not be able to.  I will let you know as soon as possible.  The only link is to a Private Message.  Is that what you want me to do, if indeed I haven't heard from you after following your instructions?

 

Thank yoiu



#4 jackiegreeno

jackiegreeno
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 15 March 2013 - 11:23 AM

[attachment=136124:attach.txt][attachment=136125:dds.txt]

 

I am able to get on the infected machine, but could not find your message in my profile.  I had to type the url in to retrieve it.  Unsure if I should attach files or copy and paste.  It would not allow me to send a copy and paste.



#5 jackiegreeno

jackiegreeno
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 15 March 2013 - 11:53 AM

GMER 2.1.19155 - http://www.gmer.net
Rootkit quick scan 2013-03-15 12:52:20
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0 ST3320620AS rev.3.ADG 298.09GB
Running: gmer.exe; Driver: C:\DOCUME~1\Bob\LOCALS~1\Temp\pwlyqpoc.sys


---- Disk sectors - GMER 2.1 ----

Disk    \Device\Harddisk0\DR0                                         Device \Driver\atapi -> DriverStartIo 8a3a02e2
Disk    \Device\Harddisk0\DR0                                         sector 0: rootkit-like behavior

---- Devices - GMER 2.1 ----

Device  \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0           8A3A02E2
Device  \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1           8A3A02E2
Device  \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2           8A3A02E2
Device  \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3           8A3A02E2
Device  \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e  8A3A02E2

---- EOF - GMER 2.1 ----
 



#6 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:27 AM

Posted 15 March 2013 - 03:03 PM

Is your computer showing the same symptoms? Is anything changed? 

 

 

Elle


Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#7 jackiegreeno

jackiegreeno
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 15 March 2013 - 03:39 PM

Only that I was able to get on to my husband's profile and do the tests you told me to do.  Just now I tried to get on my profile and all that comes up is my background pic....no icons, nothing.  Ii will have to manually boot.



Nope.  I lied.  My icons appeared.  Let me take another look.



#8 jackiegreeno

jackiegreeno
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 15 March 2013 - 03:44 PM

Internet Explorer is opening with conduit.com. and Mozilla switches to ask.com.  Neither of these are wanted programs.  May I remove them in ad remove?  You have told me to NOT make any changes, unless you tell me too



#9 jackiegreeno

jackiegreeno
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 15 March 2013 - 04:40 PM

There is no sound.  Went into control panel / sounds and it says no media device



#10 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:27 AM

Posted 16 March 2013 - 05:58 PM

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, [b]steal critical system information[/b] and [b]download and execute files[/b].

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

 

 

 

Elle


Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#11 jackiegreeno

jackiegreeno
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 16 March 2013 - 07:41 PM

I do not do financial transactions on the infected machine, but it is networked.  I can take it off the network.  The machine will then only be used for my grandson's pleasure.  I will disconnect from the network and reformat the hard drive.  Will let you know.  Can you tell me the exact name of this trojan ?

 

Thank you



#12 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:27 AM

Posted 17 March 2013 - 05:35 AM

Hi there,

 

 

I suspect it to be a TDL4 infection, to be honest. 

Please let me know about your decision whatsoever. :)

 

 

Elle 


Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#13 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:27 AM

Posted 20 March 2013 - 03:36 PM

Hi there,

 

 

Do you still need help? Please let us know. :)

 

 

Elle 


Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#14 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:27 AM

Posted 22 March 2013 - 03:58 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users