Hi.

I’m a not very clever Acer / Windows XP user who by accident clicked open a mail from barrister Justin H. Something (not the attached file though).

Stupidly again i Googled his name and found that scamoftheday.com had some information.

If it was the mail or the visited site I don’t know, but right then I got two notices from Avast about two chested suspicious files.

Then it broke out, much like for Irana44, with lots of scary messages and requests for disc and system checks. I read later about the fake “System Check” and it looks much like it.

Stupidly again, I fiddled quite a bit before giving in. The last thing I did was to boot into secure mode. Sorry if my English is wobbly.

Is there any help to be had?
Klas

Hi there - lets get at it

The first programme needs to be run twice

Download RogueKiller to your desktop

[]Quit all running programs
[]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[]When prompted, type 1 and validate
[]The RKreport.txt shall be generated next to the executable.
[*]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

RUN 2

[]Quit all running programs
[]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[]When prompted, type 6 and validate
[]The RKreport.txt shall be generated next to the executable.
[*]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

THEN

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
C:\Windows\assembly\tmp\U*.* /s
%Temp%\smtmp\1*.*
%Temp%\smtmp\2*.*
%Temp%\smtmp\3*.*
%Temp%\smtmp\4*.*
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

FINALLY

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif

I'm a not very clever Acer / Windows XP user who by accident clicked open a mail from barrister Justin H. Something (not the attached file though).

look in top right corner “MY MESSAGES”

Hi there!

Thanks for giving me some hope.

RK Report 1:

RogueKiller V6.2.4 [01/12/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode with network support
User: Administratör [Admin rights]
Mode: Scan – Date : 01/18/2012 22:02:18

¤¤¤ Bad processes: 1 ¤¤¤
[BLACKLIST] iac25_32.ax – C:\WINDOWS\system32\iac25_32.ax → UNLOADED

¤¤¤ Registry Entries: 3 ¤¤¤
[HJPOL] HKLM[…]\System : DisableTaskMgr (1) → FOUND
[SCRSV] HKCU[…]\Desktop : SCRNSAVE.EXE (C:\WINDOWS\ACER.SCR) → FOUND
[HJ] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
— User —
[MBR] 1f54be8e1e42623d7aff4800329cf7bf
[BSP] 36a79b6e3e50c9f5294ac0ee32f0c32f : MBR Code unknown
Partition table:
0 - [XXXXXX] UNKNW [HIDDEN!] Offset (sectors): 63 | Size: 2097 Mo
1 - [ACTIVE] FAT32 [VISIBLE] Offset (sectors): 4096575 | Size: 18860 Mo
2 - [XXXXXX] UNKNW [VISIBLE] Offset (sectors): 40933620 | Size: 19049 Mo
User = LL1 … OK!
User = LL2 … OK!

+++++ PhysicalDrive1: +++++
— User —
[MBR] 8a2877c45c9e97842276805a0759d0ba
[BSP] 7208b105e661849d4a48c279d3177d8d : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT16 [VISIBLE] Offset (sectors): 99 | Size: 256 Mo
User = LL1 … OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt

RK Report 2:

RogueKiller V6.2.4 [01/12/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode with network support
User: Administratör [Admin rights]
Mode: Shortcuts HJfix – Date : 01/18/2012 22:31:15

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 3 / Fail 0
Quick launch: Success 3 / Fail 0
Programs: Success 10886 / Fail 0
Start menu: Success 89 / Fail 0
User folder: Success 166 / Fail 0
My documents: Success 62 / Fail 0
My favorites: Success 8 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 74115 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume2 – 0x3 → Restored
[D:] \Device\HarddiskVolume3 – 0x3 → Restored
[E:] \Device\CdRom0 – 0x5 → Skipped
[H:] \Device\Harddisk1\DP(1)0-0+5 – 0x2 → Restored

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

Best regards,
Klas

OK you should have files and folders back now… With OTL I will remove the bad boys

I will be offline soon but I will sort it out when I get on line tomorrow

Hi again!

Enclose OTL.txt and Extras.txt

Best regards,
Klas

Evening!

Here is the aswMBR log:

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-18 23:32:41

23:32:41.609 OS Version: Windows 5.1.2600 Service Pack 3
23:32:41.609 Number of processors: 1 586 0x802
23:32:41.625 ComputerName: ACER-188B83FC28 UserName: Administratör
23:32:42.234 Initialize success
23:32:43.750 AVAST engine defs: 12011800
23:33:12.359 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
23:33:12.390 Disk 0 Vendor: HTS424040M9AT00 MA2OA71A Size: 38154MB BusType: 3
23:33:12.453 Disk 0 MBR read successfully
23:33:12.484 Disk 0 MBR scan
23:33:13.250 Disk 0 unknown MBR code
23:33:13.312 Disk 0 Partition 1 00 12 Compaq diag MSWIN4.1 2000 MB offset 63
23:33:13.921 Disk 0 Partition 2 80 (A) 0C FAT32 LBA MSWIN4.1 17986 MB offset 4096575
23:33:14.281 Disk 0 Partition - 00 0F Extended LBA 18167 MB offset 40933620
23:33:14.343 Disk 0 Partition 3 00 0B FAT32 MSWIN4.1 18167 MB offset 40933683
23:33:14.453 Disk 0 scanning sectors +78140160
23:33:14.671 Disk 0 scanning C:\WINDOWS\system32\drivers
23:33:44.609 Service scanning
23:33:47.453 Modules scanning
23:34:21.562 Disk 0 trace - called modules:
23:34:21.875 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys PCIIDEX.SYS
23:34:22.156 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x84d4a7a8]
23:34:22.421 3 CLASSPNP.SYS[f767afd7] → nt!IofCallDriver → \Device\000000aa[0x84d5fc28]
23:34:22.703 5 ACPI.sys[f7471620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x84d60b10]
23:34:23.375 AVAST engine scan C:\WINDOWS
23:34:45.875 AVAST engine scan C:\WINDOWS\system32
23:36:58.484 AVAST engine scan C:\WINDOWS\system32\drivers
23:37:17.421 AVAST engine scan C:\Documents and Settings\Administratör
23:37:21.421 AVAST engine scan C:\Documents and Settings\All Users
23:37:33.734 Scan finished successfully
23:39:58.515 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Administratör\Skrivbord\MBR.dat”
23:39:58.562 The log file has been saved successfully to “C:\Documents and Settings\Administratör\Skrivbord\aswMBR.txt”

There was also a DAT file…

I’ll shut down now, go to bed, and hope for the best in the morning.

Many thanks for now!
Klas

OK once these runs are complete let me know of any remaining problems

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found. O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found. O4 - HKU\.DEFAULT..\RunOnce: [AutoLaunch] C:\Program\Lavasoft\Ad-Aware\AutoLaunch.exe monthly File not found O4 - HKU\S-1-5-18..\RunOnce: [AutoLaunch] C:\Program\Lavasoft\Ad-Aware\AutoLaunch.exe monthly File not found O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1 O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Reg Error: Key error.) [2012-01-18 12:02:38 | 000,452,864 | --S- | C] () -- C:\Documents and Settings\All Users\Application Data\UIWWFDnoJEOaR.exe

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

THEN

Please download Malwarebytes’ Anti-Malware

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish, so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Hi!

Please find 01192012_14315.log after OTL Run Fix
and OTL.txt after Quick Scan.

I can’t access the Internet with the troubled computer, should I try MBAM anyway?

Best regards,
Klas

yes you may try…only you wan get it updated

the OTL.txt is not saved as ANSI, so looks like chinese

Sorry!

Is this better?

Klas

der va den helt okay Klas

Hi,

MBAM did’t find anything, though it was 25 days old…

Sorry, this time the file is in Swedish,
(should have thought about that when installing).

Klas

Sorry, this time the file is in Swedish, (should have thought about that when installing).

Ellers så kan jo jeg oversette
OBS: har du fremdeles mailen ?

Hej Pondus,
Desvaerre ikke.
Jag fjaernade den innan det hele begjynte.

Ha de’!
Klas

So maybe this is the correct place to ask my question about System Check?

Why did Avast miss this? What can I do to prevent future infections? I have no idea where the virus/malware came from. I think I was searching for recipes on the web at the time. Could it have come in from a website I clicked on?

Thanks

So maybe this is the correct place to ask my question about System Check?

did you click the link and read that topic?
and also click the links in that topic

@Klash could you boot to normal mode please

Then try the net and let me know what error you get

run farbar service scanner

http://i1238.photobucket.com/albums/ff484/CompCav/Farbarservicesinternetticked-2.jpg

Tick “Internet services” and “Windows Firewall” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Hi,

I can start IE and Outl.Expr. but there is no connection. I have a Netgear “stick in” with a router. When I try to start the Netgear application there’s just some error message. (My language skills aren’t really up to this!)

Below the FSS log.
It says Klas administrator, but I don’t feel in charge. When I boot in normal I have no users to choose between (which is normal because I’m the only one). But when I boot in secure I get the choice between Klas (pic. peaceful rubber duck) and Administator (jump-kicking karate guy (whom I have never seen before)).

Farbar Service Scanner Version: 18-01-2012 01
Ran by Klas (administrator) on 19-01-2012 at 20:06:11
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal

Internet Services:

Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is set to Disabled. The default start type is Auto.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is set to Disabled. The default start type is Auto.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Connection Status:

Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

Windows Firewall:

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Disabled. The default start type is Auto.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

netman Service is not running. Checking service configuration:
The start type of netman service is set to Disabled. The default start type is 3.
The ImagePath of netman service is OK.
The ServiceDll of netman service is OK.

winmgmt Service is not running. Checking service configuration:
The start type of winmgmt service is set to Disabled. The default start type is Auto.
The ImagePath of winmgmt service is OK.
The ServiceDll of winmgmt service is OK.

Firewall Disabled Policy:

PlugPlay Service is not running. Checking service configuration:
The start type of PlugPlay service is set to Disabled. The default start type is Auto.
The ImagePath of PlugPlay service is OK.

File Check:

C:\WINDOWS\system32\dhcpcsvc.dll
[1980-01-01 00:00] - [2008-04-14 18:04] - 0126464 ____A (Microsoft Corporation) 0CE3FA1C1A6803B34022D6C47273930D

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll
[1980-01-01 00:00] - [2009-04-20 19:20] - 0045568 ____A (Microsoft Corporation) EFAC4D4C80CCD725CC5BD7D3DBF18C74

C:\WINDOWS\system32\ipnathlp.dll
[1980-01-01 00:00] - [2008-04-14 18:04] - 0330752 ____A (Microsoft Corporation) 30E1A46734BDF836C8770949C86B42A4

C:\WINDOWS\system32\netman.dll
[1980-01-01 00:00] - [2008-04-14 18:04] - 0198144 ____A (Microsoft Corporation) 7F791C1C9D3FEC5D3F519C9DB19465D3

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2004-09-17 09:52] - [2008-04-14 18:04] - 0145408 ____A (Microsoft Corporation) CF4E2A27495F7EA6B3128D9A731B3716

C:\WINDOWS\system32\svchost.exe
[1980-01-01 00:00] - [2008-04-14 18:05] - 0014336 ____A (Microsoft Corporation) 6CCEF19D7301D9861F90E299C798AD3F

C:\WINDOWS\system32\rpcss.dll
[1980-01-01 00:00] - [2009-02-09 12:56] - 0401408 ____A (Microsoft Corporation) 87DADC3F6E6CD5AAEB913E19CBFF922C

C:\WINDOWS\system32\services.exe
[1980-01-01 00:00] - [2009-02-09 13:27] - 0110592 ____A (Microsoft Corporation) 8870B0C4A094C1CE80CEA6F85FA38FF2

Extra List:

AegisP(11) aswTdi(12) Gpc(7) IPSec(5) irda(9) NetBT(16) PSched(8) Tcpip(4)
0x0D00000005000000010000000200000003000000040000000C0000000700000008000000090000000A00000010000000060000000B000000
IpSec Tag value is correct.

**** End of log ****

Best regards,
Klas

The start type of Dnscache service is set to Disabled. The default start type is Auto. The start type of Dhcp service is set to Disabled. The default start type is Auto. The start type of sharedaccess service is set to Disabled. The default start type is Auto. The start type of netman service is set to Disabled. The default start type is 3. The start type of winmgmt service is set to Disabled. The default start type is Auto. The start type of PlugPlay service is set to Disabled. The default start type is Auto.

The easiest way to reset them all is to use this tool

Download Windows Repair (all in one) from this site

Install the programme then run

On the start repairs tab select advanced mode and click start

http://i1224.photobucket.com/albums/ee362/Essexboy3/Capture1.gif

Select the items ticked in the screen shot below(remove the ticks from the rest ) and tick restart system when finished