I have a Toshiba Satellite M105 S3064 running XP Media Center Service Pack 3. Intel T2300 1.66GHz processor, 1GB RAM, 120GB hard drive. I use Avast, Ad-Aware and Malwarebytes.
Please help me!
I was working in Photoshop this afternoon when a strange dialogue box came up telling me that NTAUTHORITY would shut my computer down in 60 seconds. I googled it on another computer and it came up as one of the screens for the blaster worm. It came up again when I restarted the computer and I searched for any trace of the worm and didn’t find one. I scanned my computer with Malwarebytes and Ad-Aware and came up with nothing. After that I ran the Windows program to get rid of it and also ran the Microsoft malware removal program. The Microsoft Malware program found and deleted a trojan called JS Fake or something similiar. It rebooted and then I got a window saying that my Services and Controller app needed to close and would I like to send the error log. Something’s just not right. I looked through the log and tracked the files it wanted to send to Microsoft and found them in my temp folder. They were:
services.exe.mdmp
appcompat.txt
I then scheduled a boot scan in Avast, set it to check archives, and rebooted my computer. All Avast found were a couple corrupt .rar files that I know aren’t suspicious because I’ve had them for years. I then went through and deleted all but three files in my temp folder. The three files would not uninstall. They are from HP, a printer I was in the process of installing in the background when this whole mess started.
I did some searching in Windows and came up with 5 instances of services.exe on my system:
C:\WINDOWS$NtServicePackUninstall$
C:\WINDOWS$NtUninstallKB956572
C:\WINDOWS\system32
C:\WINDOWS\ServicePackFiles\i386
C:\WINDOWS$hf_mig$\KB956572\SP3QFE
I also get a message pop up telling me I’m not allowed to disable the services.exe process in Task Manager when I try to.
Here is the Malwarebytes log:
Malwarebytes’ Anti-Malware 1.42
Database version: 3297
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
12/7/2009 6:51:31 PM
mbam-log-2009-12-07 (18-51-31).txt
Scan type: Full Scan (C:|)
Objects scanned: 443900
Time elapsed: 1 hour(s), 40 minute(s), 58 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
HijackThis log in next post.
I think it might be this trojan, but I’m not sure: Trojan-Downloader.Tibs.CNA or Trojan-Dropper.Agent.CE (threatexpert.com link)