Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan and Rootkit Sirefef Infections


  • This topic is locked This topic is locked
15 replies to this topic

#1 Joyful25

Joyful25

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:04 PM

Posted 07 August 2013 - 09:28 PM

Hello, I have been working to clear up my computer for days now.  Here is my original Topic I posted if you are interested in reading exactly what has been done or any of the logs: http://www.bleepingcomputer.com/forums/t/503135/email-hacked-multiple-infections-on-laptop-froze-on-blue-screen/. To sum it up, I've run MBAM, TDSSKiller (which found Rootkit 'Sinowal' but cured it as far as I know), ESET online scanner, Security Check, Deleted AVG, and installed Avast Free version. 

In preparation to post here, I tried to back up my computer with Cobian (I'm pretty sure it worked b/c the duplicate files were there), and tried to enable my windows firewall, but was unable to when clicking on the firewall windows icon.  Instead, I got a message that said "Due to an unidentified problem, windows cannot display windows Firewall Settings". 

The main reason for posting HERE is b/c when I downloaded Avast and ran a complete scan it turned up 3 threats. Two were "Threat:Win32:Sirefef-PL [Rtk]" and the other was: "Threat:Win32:Sirefef-BTN [Trj]".  The forum member then instructed me to run DDS and post here. Please help me get rid of these! Here are the logs as instructed to post:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Dell User at 21:55:54 on 2013-08-07
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1014.309 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ================
.
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://broadband.zoomtown.com
mStart Page = hxxp://broadband.zoomtown.com
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [EzPrint] "c:\program files\lexmark 2300 series\ezprint.exe"
mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,_RunDLLEntry@16
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.200.1 192.168.200.1
TCP: Interfaces\{4AE2D0D2-26DB-4200-8FAC-2CC35D5566AA} : DHCPNameServer = 192.168.200.1 192.168.200.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\dell user\application data\mozilla\firefox\profiles\5zljayye.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com/
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_94.dll
FF - ExtSQL: 2013-08-06 03:28; wrc@avast.com; c:\program files\avast software\avast\webrep\FF
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [2013-8-6 49376]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [2013-8-6 175176]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-8-6 770344]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-8-6 369584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-8-6 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-8-6 66336]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-8-6 46808]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-3-3 428640]
S2 cbVSCService11;Cobian Backup 11 Volume Shadow Copy Requester;c:\program files\cobian backup 11\cbVSCService11.exe [2013-8-6 67584]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-6-21 162408]
.
=============== Created Last 30 ================
.
2013-08-07 03:32:22    --------    d-----w-    c:\windows\system32\MRT
2013-08-07 01:28:11    --------    d-----w-    c:\program files\Cobian Backup 11
2013-08-06 07:28:46    770344    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2013-08-06 07:28:45    175176    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2013-08-06 07:28:44    49376    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2013-08-06 07:28:41    66336    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2013-08-06 07:27:44    41664    ----a-w-    c:\windows\avastSS.scr
2013-08-06 07:26:51    --------    d-----w-    c:\program files\AVAST Software
2013-08-06 07:26:26    --------    d-----w-    c:\documents and settings\all users\application data\AVAST Software
2013-08-05 14:32:11    --------    d-----w-    c:\program files\Microsoft CAPICOM 2.1.0.2
2013-08-04 04:07:43    --------    d-----w-    c:\program files\iPod
2013-08-04 04:07:04    --------    d-----w-    c:\program files\iTunes
2013-08-04 04:07:04    --------    d-----w-    c:\documents and settings\all users\application data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-08-04 03:58:47    --------    d-----w-    c:\program files\Bonjour
2013-08-04 03:37:42    --------    d-----w-    c:\documents and settings\dell user\local settings\application data\Secunia PSI
2013-08-04 03:37:18    --------    d-----w-    c:\program files\Secunia
2013-08-03 19:51:39    --------    d-----w-    C:\TDSSKiller_Quarantine
2013-08-03 18:56:41    --------    d-----w-    c:\program files\ESET
2013-08-02 02:54:15    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-08-02 02:54:15    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-07-30 02:03:23    --------    d-----w-    c:\documents and settings\dell user\local settings\application data\Google
.
==================== Find3M  ====================
.
2013-08-04 03:50:41    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-08-04 03:50:40    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 21:56:32.79 ===============
 

 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 AM

Posted 08 August 2013 - 12:47 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Joyful25

Joyful25
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:04 PM

Posted 08 August 2013 - 05:03 PM

Ok, I downloaded the program from your link and was trying to follow instructions exactly like you wrote.  When I double clicked the download to open it, it asked me if I wanted to run the program or cancel (b/c windows didn't recognize).  I clicked run and it opened and automatically started to scan! It did NOT give me the option of UNCHECKING the "sections", "IAT/EAT" or "show all".   I didn't want to run it again in case that would mess anything up.  So here are the results for the Rootkit Malware Tab that was on the screen when it opened and did the scan.  If you want me to run it again just let me know...Sorry!

 

GMER 2.1.19163 - http://www.gmer.net
Rootkit quick scan 2013-08-08 17:59:55
Windows 5.1.2600 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_HM080HI rev.AB100-12 74.53GB
Running: g53kz8vs.exe; Driver: C:\DOCUME~1\DELLUS~1\LOCALS~1\Temp\pxrdyfow.sys


---- Disk sectors - GMER 2.1 ----

Disk            \Device\Harddisk0\DR0                                                                  malicious Win32:MBRoot code @ sector 156280323 !

---- System - GMER 2.1 ----

SSDT            \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)  ZwEnumerateKey [0xAA17F067]
SSDT            \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)  ZwEnumerateValueKey [0xAA17EED2]

Code            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)  ZwCreateProcessEx [0xAA22FE00]
Code            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)  ObInsertObject
Code            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)  ObMakeTemporaryObject

---- Devices - GMER 2.1 ----

Device          \FileSystem\Ntfs \Ntfs                                                                 aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice  \Driver\Tcpip \Device\Ip                                                               aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                              aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice  \Driver\Tcpip \Device\Udp                                                              aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                            aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 2.1 ----
 



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 AM

Posted 09 August 2013 - 01:48 AM

Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.exe and save it to your desktop

  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Cure. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 Joyful25

Joyful25
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:04 PM

Posted 09 August 2013 - 08:44 AM

Ran TDSSKiller - I had downloaded it this past week (see previous topic in the link I posted for more info on what it found that time).  This time, it found no malicious threats. 



#6 Joyful25

Joyful25
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:04 PM

Posted 10 August 2013 - 08:20 AM

I thought I had posted that log yesterday with my reply.  I didn't check my post after I replied but, today when I logged in and checked this post there is no log.  Do I still need to post that log even though it showed no malicious activity? 



#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 AM

Posted 12 August 2013 - 03:36 AM

No, thats okay.

 

 

 

Windows XP out of date

Your Microsoft Windows installation is out of date. Microsoft continually releases security and stability updates for its supported operating systems and you should always apply these to help keep your PC secure. Out-of-date Windows installations represent a risk to your system and are also a conduit for the spread of malware. You should visit Windows Update to check for the latest updates to your system. The latest service pack (SP3) can be obtained directly from Microsoft here.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#8 Joyful25

Joyful25
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:04 PM

Posted 13 August 2013 - 08:08 AM

Ok, I installed "service pack 3" for windows.  Window's Security Alert informed me that my firewall was turned off.  I tryed to enable it and it wouldn't let me, so I went to control panel and when I tried to click on "windows firewall" icon, it would not allow me to open it (same as before - in the last topic I had the same problem). 

 

So, was that the main problem? Windows was just outdated or are there possible infections still? What next?



#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 AM

Posted 13 August 2013 - 10:29 AM

No, that was just to avoid some problems.

 

 

Scan with Malwarebytes Anti-Rootkit

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-[date and time]***.txt . Please attach that to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 Joyful25

Joyful25
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:04 PM

Posted 16 August 2013 - 09:03 AM

Ok, I ran the malwarebytes antiroot kit  and am attaching the log like you requested.  It said it found 20 malicious items.  I just exited like you said to do.Attached File  mbar-log-2013-08-16 (09-36-28).txt   8.71KB   3 downloads



#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 AM

Posted 19 August 2013 - 12:49 AM

Fix with Malwarebytes Anti-Rootkit

Run another scan with mbar.exe and click the CleanUp button. It will require a reboot.

When it has rebooted, run another scan with mbar.exe and click CleanUp again if necessary.

Send the mbar-log.txt along with an update on machine behavior.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 Joyful25

Joyful25
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:04 PM

Posted 21 August 2013 - 09:47 PM

Ok, ran the scan 2 times.  The first it found the 21 items and I clicked cleanup then rebooted when prompted.  The second time it found one item and I hit cleanup and rebooted again.  Computer update/status:  Seems to be running pretty good...internet a little slow when you first open it but as far as I know, running pretty good.   My firewall is back on.  After I ran the first scan and cleaned up the 21 items, my firewall automatically came back on.  So, I'm happy about that!  What else do I need to do??? Can I be sure that the last item (the google update trojan) is gone for good?

 

Here is the text log of the second time:

 

Malwarebytes Anti-Rootkit BETA 1.06.1.1005
www.malwarebytes.org

Database version: v2013.08.21.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Dell User :: DELL-AA20D1D908 [administrator]

8/21/2013 8:52:39 PM
mbar-log-2013-08-21 (20-52-39).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 237799
Time elapsed: 18 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update (Trojan.Zaccess) -> Data:  -> Delete on reboot.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 



#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 AM

Posted 22 August 2013 - 07:40 AM

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

 

 

 

 

Scan with Farbar´s Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender

  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 Joyful25

Joyful25
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:04 PM

Posted 22 August 2013 - 10:33 PM

Ok, I started the full scan on malwarebytes and after an hour for some reason the program quit and just wouldn't respond.  So I closed it and sent the error report that popped up.  THEN, I reopened malware bytes and tried running a quick scan which was successful.  It found 3 items and I clicked cleanup.   I then scanned with "Farbars"   Here is the malware log and the Farbars log:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

:step1: Database version: v2013.08.22.10

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Dell User :: DELL-AA20D1D908 [administrator]

8/22/2013 11:11:45 PM
mbam-log-2013-08-22 (23-11-45).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 234914
Time elapsed: 6 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (PUP.Optional.IBryte.A) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Google Update (Trojan.Zaccess) -> Data:  -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\Dell User\My Documents\Downloads\Setup.exe (PUP.Optional.IBryte.A) -> Quarantined and deleted successfully.

(end)

 

:step2: Farbars:Farbar Service Scanner Version: 18-08-2013
Ran by Dell User (administrator) on 22-08-2013 at 23:21:28
Running from "C:\Documents and Settings\Dell User\My Documents\Downloads"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(9) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x09000000050000000100000002000000030000000400000009000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****



#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 AM

Posted 02 September 2013 - 12:39 AM

Are any issues left?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users