My ps has been infected by the something very hard. The Avast log is attached.
Restore system is disabled. The XP firewall is disabled and I cannot enable it. The taskmanager was disabled but I could start it againg.
What can I do? Not easy, I think. Is it there any posibility of restore the system without loosing the restore points. (I have verified that the System Volumen Information is empty but I cannot open it)
I have deleted all the files (exes, dll, prefecht, etc, etc) that were created at the time of infection 1:18 of today.
Disable System Restore and reenable it after step 3. This will delete the infected restore points. Why do you need them? But if the System Restore is already disabled… well, the points are gone. You do not have access to System Volume Information folder due to access rights are granted only for the System.
Clean your temporary files.
Schedule a boot time scanning with avast with archive scanning turned on.
Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
11/06/2008 1:18:25 SYSTEM 1200 Sign of “Win32:Dialer-407 [trj]” has been found in “C:\DOCUME~1\PC\CONFIG~1\Temp\maxpaynowti.game” file.
11/06/2008 1:18:47 SYSTEM 1200 Sign of “Win32:Tibs-DXY [trj]” has been found in “C:\DOCUME~1\PC\CONFIG~1\Temp\v6xdt4.game” file.
11/06/2008 1:19:09 SYSTEM 1200 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\Program Files\BraveSentry\BraveSentry.exe” file.
11/06/2008 1:19:19 SYSTEM 1200 Sign of “Win32:Homles [trj]” has been found in “C:\Documents and Settings\PC\Configuración local\Archivos temporales de Internet\Content.IE5\RQVAVNLI\17PHolmes[1].cmt[UPX]” file.
11/06/2008 1:23:17 PC 1412 Sign of “Win32:Tiny-QP [trj]” has been found in “C:\DOCUME~1\PC\CONFIG~1\Temp\maxpaynow.game” file.
11/06/2008 1:23:31 PC 1412 Sign of “Win32:Dialer-407 [trj]” has been found in “C:\DOCUME~1\PC\CONFIG~1\Temp\maxpaynowti.game” file.
11/06/2008 1:24:26 PC 1412 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\DOCUME~1\PC\CONFIG~1\Temp\0.EXE” file.
11/06/2008 1:24:29 PC 1412 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\DOCUME~1\PC\CONFIG~1\Temp\0.EXE” file.
11/06/2008 1:25:33 PC 1412 Sign of “Win32:Dialer-407 [trj]” has been found in “C:\Documents and Settings\PC\Configuración local\Archivos temporales de Internet\Content.IE5\ZYTE3Q9Y\gdnOT3256[1].exe” file.
11/06/2008 1:25:33 PC 1412 Sign of “Win32:Tibs-DXY [trj]” has been found in “C:\DOCUME~1\PC\CONFIG~1\Temp\v6xdt4.game” file.
11/06/2008 1:25:33 PC 1412 Sign of “Win32:Homles [trj]” has been found in “C:\Documents and Settings\PC\Configuración local\Archivos temporales de Internet\Content.IE5\ZYTE3Q9Y\17PHolmes[1].cmt[UPX]” file.
11/06/2008 1:25:33 PC 1412 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\DOCUME~1\PC\CONFIG~1\Temp\0.EXE” file.
11/06/2008 1:25:33 PC 1412 Sign of “Win32:Dialer-407 [trj]” has been found in “C:\Documents and Settings\PC\Configuración local\Archivos temporales de Internet\Content.IE5\6LNEPTSW\gdnOT3256[1].exe” file.
11/06/2008 1:25:33 PC 1412 Sign of “Win32:Homles [trj]” has been found in “C:\WINDOWS\17PHolmes27.exe[UPX]” file.
11/06/2008 1:25:33 PC 1412 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\DOCUME~1\PC\CONFIG~1\Temp\bljhfggp.exe” file.
11/06/2008 1:25:36 PC 1412 Sign of “Win32:Homles [trj]” has been found in “C:\WINDOWS\17PHolmes27.exe[UPX]” file.
11/06/2008 1:25:37 PC 1412 Sign of “Win32:Tibs-DXY [trj]” has been found in “C:\WINDOWS\system32\vedxga4m1et4.exe” file.
11/06/2008 3:08:13 PC 1464 Sign of “Win32:Homles [trj]” has been found in “C:\WINDOWS\17PHolmes27.exe[UPX]” file.
11/06/2008 3:13:02 PC 1464 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\Documents and Settings\PC\Configuración local\Temp\bljhfggp.exe” file.
I’m doing all the steps. Avast antirootkit has found c:\windows\system32\drivers\asc3550p.sys but when I push the “Fix Now” button then in the “Fix status” it says: Error!
I post like attached files the HijackThis log and the runscanner log (run file).
Thank you very much in advance for the help.
One question more: my system has been lost the sound (windows sound and SounMAx). The firewall is still disabled and I cannot enable it. It is there the red securyty icon tray. I have reenabled the system restore but of course there were no restore points
The run file os runscanner cannot be attached here.
Firewall is still disabled. When computer stars all is allright except thar the the icon tray of avast doesn,t turn for a few minutes and the computer seems blocked. I can run taskmanager or ProcessExplorer but I cannot see anything anormal.
In the msconfig start secuence there nothing suspicius but it appears two things called “dumprep 0 -k” and “dumprep 0 -u”. What are these entries???
It is one thing that I cannot yet understand. When my pc was infectec I only was navigating in the web. Nothing was executed. Nothing stranged was happening. Avast was actived and my firewall also. The infection started simply without any previous signals.
How is it posble this kind of infection???. I mean, I was only surfing by the web and nothing was executed directily by me. How is it possible for a trojan tunneling through the antivirus, disable the system restore and the firewall???. Is is possible??? I can`t believe it.
Now I’m writing from my laptop but the big infected computer will be formated. No information has been lost but now it comes the problem that I am going to spend a lot of time or days reinstalllyng all from zero (Xp, office, all aplications…)
While I am no expert on reading HJT logs, you have several entries with (files missing) and this can be a clue to your problem. The entry with this … 1033d.exe … seems to be related to some type of malware.
As for the “dumprep” entries, perhaps it is something you initiated but do not remember and is nothing to worry about. Read here for more information: http://www.techspot.com/startup/11946/
Why can you not attach the runscanner file here?
Finally, asc3550p.sys is related to a malware named Trojan.KillAV.lz and can be removed with Spyware Terminator. Please visit the next link for more information …