I don’t have much information as of yet. all I know is that the machine is a Toshiba laptop running either Windows XP or Vista. The user has told me that it will boot to the desktop but is extremely sluggish after doing so. That’s all I have for now. It’s going to be dropped off to me tomorrow, the 17th. Hopefully I will be able to get a little help once it arrives…
Hi ebozzz,
When it come in, go here http://forum.avast.com/index.php?topic=53253.0
and prepare the logs for one of our qualified removers, that could guide you through the cleansing process.
Do nothing to that laptop yet, and follow the qualified removal instructions meticulously to achieve best possible cleansing results,
polonus
Polonus,
I will. I’ve already been reading the threads in the sticky section. It appears that i can get a lot done on my own before asking for the cavalry to bail me out. I’m not going to do anything other than prepare the logs and wait for guidance. This sort of thing is simply not my area of expertise.
Monitoring…
Ok, I just got home from the job and have the laptop in question.
Toshiba Satellite P205
Windows Vista Home Premium 32-bit
2 GB Ram
T5300 Core2Duo (1.73 GHz x 1.73 GHz)
200 GB HDD (125 GB free)
Based on the description that my relative had provided prior to me getting the machine, I was expecting it to show significant signs of infection. My first impressions are that this machine is not running that bad. It booted into the desktop without much difficulty. I downloaded MBAM onto a flash drive, rebooted it into safe mode, install & update MBAM and I a m a little over 15 minutes into a full scan. 14 detections thus far. While this scan is running I am going to read a few of the sticky threads to get an idea about what logs will be needed. I honestly think this could very well be an easy job…
Clumsy me! 42 minutes into the full scan with MBAM and I accidentally closed the application. :-\
Starting over again now. There were still only 14 detections prior to my mishap…
:Edit: I have all of my other log generating resources downloaded and ready to go one the MBAM is completed. I am gonna walk away for a while so that I don’t make any more mistakes!
Hi,
You don’t have to do a full scan…a quick scan is fine.
I always do full scans but the next time I will be aware of that. I don’t anticipate being back in here asking for help any time soon! ;D
Here’s the MBAM log. I am getting ready to run OTL now…
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.04.17.06
Windows Vista x86 NTFS (Safe Mode/Networking)
Internet Explorer 7.0.6000.16982
Jeff :: JEFF-PC [administrator]
4/17/2012 7:05:38 PM
mbam-log-2012-04-17 (19-05-38).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 302715
Time elapsed: 45 minute(s), 41 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 14
C:\Users\Jeff\AppData\Local\Temp\Low\0.2842084884142906.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\0.45276379251548815.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\0.6396976189294069.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\0.6620275009111668.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\0.7480636890359736.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\0.789415857029859.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\bhr.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\eij.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\eud.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\ilj.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\jqi.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\snc.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\sri.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\Update.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
(end)
OTL.Txt and Extras.Txt files are also attached…
aswMBR
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-17 20:43:26
20:43:26.417 OS Version: Windows 6.0.6000
20:43:26.417 Number of processors: 2 586 0xF02
20:43:26.417 ComputerName: JEFF-PC UserName: Jeff
20:43:27.322 Initialize success
20:45:13.324 AVAST engine defs: 12041701
20:45:28.238 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
20:45:28.238 Disk 0 Vendor: TOSHIBA_MK2035GSS DK020M Size: 190782MB BusType: 3
20:45:28.253 Disk 0 MBR read successfully
20:45:28.253 Disk 0 MBR scan
20:45:28.253 Disk 0 Windows VISTA default MBR code
20:45:28.269 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
20:45:28.300 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 189281 MB offset 3074048
20:45:28.316 Disk 0 scanning sectors +390721536
20:45:28.425 Disk 0 scanning C:\Windows\system32\drivers
20:45:39.283 Service scanning
20:46:06.130 Modules scanning
20:46:11.247 Disk 0 trace - called modules:
20:46:11.294 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
20:46:11.294 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x84a9f030]
20:46:11.309 3 ntoskrnl.exe[820a80af] → nt!IofCallDriver → [0x849dbf18]
20:46:11.309 5 acpi.sys[8046832a] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0x849dd548]
20:46:12.339 AVAST engine scan C:\Windows
20:46:14.819 AVAST engine scan C:\Windows\system32
20:48:54.439 AVAST engine scan C:\Windows\system32\drivers
20:49:09.383 AVAST engine scan C:\Users\Jeff
20:53:48.140 AVAST engine scan C:\ProgramData
20:57:04.528 Scan finished successfully
20:58:51.778 Disk 0 MBR has been saved successfully to “C:\Users\Jeff\Desktop\MBR.dat”
20:58:51.778 The log file has been saved successfully to “C:\Users\Jeff\Desktop\aswMBR.txt”
Rogue Killer
RogueKiller V7.3.2 [03/20/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows Vista (6.0.6000 ) 32 bits version
Started in : Safe mode with network support
User: Jeff [Admin rights]
Mode: Scan – Date: 04/17/2012 21:16:16
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 3 ¤¤¤
[PROXY IE] HKCU[…]\Internet Settings : ProxyServer (:0) → FOUND
[HJ] HKLM[…]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → FOUND
[HJ] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK2035GSS ATA Device +++++
— User —
[MBR] 31a51cfdf3c492d70a27f5667d353202
[BSP] 998c3ec9a68bb927f8a39d896677fbf4 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 189281 Mo
User = LL1 … OK!
User = LL2 … OK!
+++++ PhysicalDrive1: USB 2.0 USB Flash Drive USB Device +++++
— User —
[MBR] 9ce65dd10b564194fc9c920b30411fe1
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 3863 Mo
User = LL1 … OK!
Error reading LL2 MBR!
Finished : << RKreport[1].txt >>
RKreport[1].txt
Rogue Killer
Files 2 & 3 are attached…
Fabar Service Scanner
Farbar Service Scanner Version: 16-04-2012
Ran by Jeff (administrator) on 17-04-2012 at 21:30:59
Running from “C:\Users\Jeff\Desktop”
Microsoft® Windows Vista™ Home Premium (X86)
Boot Mode: Nerwork
Internet Services:
Connection Status:
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.
Windows Firewall:
Firewall Disabled Policy:
System Restore:
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.
Checking LEGACY_SDRSVC: Attention! Unable to open LEGACY_SDRSVC\0000 registry key. The key does not exist.
VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.
System Restore Disabled Policy:
Security Center:
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.
Windows Update:
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.
BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
Checking LEGACY_BITS: Attention! Unable to open LEGACY_BITS\0000 registry key. The key does not exist.
EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem service is OK.
The ServiceDll of EventSystem service is OK.
Windows Autoupdate Disabled Policy:
Windows Defender:
File Check:
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll
[2007-10-25 16:22] - [2007-10-25 16:22] - 0265912 ____A (Microsoft Corporation) 0D5AD0E71FF5DDAC5DD2F443B499ABD0
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
Alright, I think that’s all of the reccommended logs. I’m anxious to hear what your thoughts are. In the mean time, I am going to boot into the desktop and see if I notice any issues…
Hi ebozz,
Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
Run OTL.exe
[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
O15 - HKU\S-1-5-21-1951984611-3127551431-2383596439-1000\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-1951984611-3127551431-2383596439-1000\..Trusted Ranges: GD ([http] in Local intranet)
O33 - MountPoints2\{1a8aac2a-1174-11e0-8106-001b381c8ddf}\Shell - "" = AutoRun
O33 - MountPoints2\{1a8aac2a-1174-11e0-8106-001b381c8ddf}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
:Files
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )
Jeff,
Here is the Run Fix output…
I got a little confused regarding what was needed on the new OTL scan so let me tell you what I did. I initially ran with just the options that were selected by default. I did not select All Users. The log for that is OTL_2. I ran the scan again with All Users selected. That log is OTL_3. I’m off to work now. I’ll check back back in later today. Thanks!
Hi,
Malwarebytes
I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.
ESET Online Scanner
I’d like us to scan your machine with ESET Online Scan
Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don’t go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.
As a Vista/Win7 user you will need to right click your browser icon and select “Run as Administrator” in order to run this scan.
[list]
[]Do not use this instance of your browser for anything besides doing this scan
[]When the scan is complete and the results saved, close that instance of your browser
[*]Open a new one the usual way and post the results in this topic.
[]Right-click and Run as Administartor on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
[*]Click the
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png
button.
[*]For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
[*]Click on
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png
to download the ESET Smart Installer. Save it to your desktop.
[]Double click on the
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png
icon on your desktop.
[/list]
[*]Check
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
[*]Click the Start button.
[]Accept any security warnings from your browser.
[]Check
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
[*]Make sure that the option “Remove found threats” is Unchecked
[*]Push the Start button.
[]ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
[]When the scan completes, push
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
[*]Push
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png
, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
[*]Push the Back button.
[*]Push Finish
http://www.eset.com/onlinescan/
In your next reply please attach the logs made by Malwarebytes and ESET online scanner.
Jeff,
Here are the results from the most recent MBAM and ESET scans…
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.04.17.06
Windows Vista x86 NTFS (Safe Mode/Networking)
Internet Explorer 7.0.6000.16982
Jeff :: JEFF-PC [administrator]
4/18/2012 5:47:00 PM
mbam-log-2012-04-18 (17-47-00).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 179600
Time elapsed: 3 minute(s), 39 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
http://forum.avast.com/index.php?action=dlattach;topic=97275.0;attach=81209;image
Talk to me! ;D