1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Mal-lightening struck again (during recovery!!

Discussion in 'Virus & Other Malware Removal' started by jelleym, Apr 8, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. jelleym

    jelleym Thread Starter

    Joined:
    Sep 6, 2001
    Messages:
    634
    As posted recently on this board, I'd been struck with Trojans.

    Worried about still being without protection, yesterday I went thru the tedious (many hours) download of Avast 5.

    Just as i feared, during that process, I seem to have got infected again!

    Also, somehow the repair process caused that when I open IE6 Browser, it states it cannot display (though I do get connected, and I'm able to use Firefox OK. So why not IE6? The only way i can use IE6 is by clicking Favorites, then Links, then clicking Google from there, to start browsing. But no normal browser complete with URL/toolbar.
    But let's concentrate on the Malware Log first, for now.

    ... here's the data:
    PLEASE NOTE THAT I OPTED FOR QUICK SCAN
    WHAT TO DO NOW - IS THE QUESTION


    Database version: 2421
    Windows 5.1.2600 Service Pack 1

    4/8/2010 1:35:44 PM
    mbam-log-2010-04-08 (13-33-13).txt

    Scan type: Quick Scan
    Objects scanned: 77178
    Time elapsed: 4 minute(s), 10 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 1
    Registry Data Items Infected: 3
    Folders Infected: 1
    Files Infected: 3

    Memory Processes Infected:
    C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> No action taken.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> No action taken.

    Folders Infected:
    C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken.

    Files Infected:
    c:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken.
    c:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken.
    C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> No action taken.
     
  2. Phantom010

    Phantom010 Trusted Advisor

    Joined:
    Mar 9, 2009
    Messages:
    34,796
    Why "No action taken". Have Malwarebytes' Anti-Malware delete whatever it finds.

    Your computer seems heavily infected. I wouldn't rely solely on MBAM for a Trojan called Infostealer.Banker.C (Symantec’s codename)...

    Please click on Report and kindly ask to be moved to the Malware Removal & HijackThis Logs forum. From there, be patient. You should get an answer within the next 48 hours. These guys are really busy!
     
  3. jelleym

    jelleym Thread Starter

    Joined:
    Sep 6, 2001
    Messages:
    634
    OK, & thanks! uh, btw, where did you see infostealer.banker.c on my log? I don't see it.

    For some reason, the HijackThis program isn't on my Desktop anymore; nor did I see it in my Download Files.

    So i'm hoping MBAM is sufficient. I do also have SuperAntiSpyware (probably not the latest version though). It's a Catch22. If I'd download these programs, I'd get further infected!

    As for patience, it's more like vice versa, because no thanks to the cybercriminals, I can really use a stretch of time to rest.

    P.S. MBAM removed those files & it stated it would create a log, & restarted.
     
  4. jelleym

    jelleym Thread Starter

    Joined:
    Sep 6, 2001
    Messages:
    634
    Thank you - because I need a break for a good while! Meanwhile I now have Super Antispyware running a thorough scan (this is after the above Quick Scan by MBAM), and so far it seems to have detected 24 Adware tracking cookies.
    Update: The complete scan by SAS finally finished, and I quarantined & removed the 24 tracking cookies.

    Neither MBAM nor SAS have the latest definitions downloaded. The definitions are 88 days old. I don't know if I should go ahead with setting up Avast 5 (that's if it will actually work). Just to be protected in order to DL updated definitions.

    ===============================

    Database version: 2421
    Windows 5.1.2600 Service Pack 1

    4/9/2010 12:15:58 AM
    mbam-log-2010-04-09 (00-15-58).txt

    Scan type: Quick Scan
    Objects scanned: 77178
    Time elapsed: 4 minute(s), 10 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 1
    Registry Data Items Infected: 3
    Folders Infected: 1
    Files Infected: 3

    Memory Processes Infected:
    C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

    Files Infected:
    c:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
    c:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
    C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
     
  5. jelleym

    jelleym Thread Starter

    Joined:
    Sep 6, 2001
    Messages:
    634
    UPDATE:

    I downloaded the latest Avast, and finally today downloaded the latest definitions both on SAS and MBAM.

    Just now I ran thorough scans on both SAS & MBAM.
    Also Hijack This.

    Results:

    SAS found one cookie adware (Firefox mozilla) which I removed.

    MBAM found 6 infected registry keys and 1 infected file
    I'm now about to click REMOVE SELECTED and hope it works out OK.

    The MBAM & HIJACK logs are as follows:

    MALWARE BYTES LOG:

    Scan type: Full scan (C:\|)
    Objects scanned: 116214
    Time elapsed: 19 minute(s), 35 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 6
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> No action taken.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> No action taken.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\System Volume Information\_restore{32429E52-6169-4EA2-A736-7BFC1C4D682C}\RP4\A0000271.sys (Rootkit.Agent) -> No action taken.

    HIJACK THIS LOG:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:34:23 PM, on 4/18/2010
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\WgaTray.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1270725875468
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A00F6FFD-617D-4C3D-8870-0AB857506227}: NameServer = 69.72.64.2,69.72.0.2
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 3614 bytes
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,451
    First Name:
    Derek
    Delete any existing version of ComboFix you have sitting on your desktop
    Please read and follow all these instructions very carefully

    Download ComboFix from Here to your Desktop.

    **Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
    --------------------------------------------------------------------
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
    • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re enable the protection again after combofix has finished
    --------------------------------------------------------------------
    2. Close any open browsers and any other programs you might have running
    Double click on combofix.exe & follow the prompts.​
    If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
    Please select yes & let it download the files it needs to do this
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" for further review


    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

    Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.
     
  7. jelleym

    jelleym Thread Starter

    Joined:
    Sep 6, 2001
    Messages:
    634
    Thanks!

    Actually, all that I have checkmarked in STARTUP are:
    zlclient (zonealarm) - not sure how to temp. disable that
    also:
    NvCpl
    avastUI
    ctfmon
    Creative\SyncManager
    AdobeUpdateMgr

    As for AVAST, since I have the latest version, the link you gave is outdated, since the latest version does not state "Stop On Access Protection", but rather a "shields control" dropdown offering various "Disable" options, such as 10 min., One Hour, etc.

    P.S. I feel I should add that due to an unexpected development, I might soon get cut off totally from the Net.

    See, I just logged on via a free dialup ISP [my backup svc], because the connections of my regular dialup ISP (which I'd been using for several years already) had not been connecting.

    When I contacted the phone company about it (they rent Verizon's lines), they arbitrarily told me they're not going to let me connect to any internet numbers from now on, and never mind how many years I was their customer already, and never mind that all those years they were probably overcharging for the analog phone svc anyway (approx. $50 per month).

    For some reason (at least for now) I still seem to be connecting via the free ISP, but even that's unstable and filled with enforced ads.

    So for the time being, (taking into account possible upcoming limitations), I'll attempt to follow thru w/above insructions. BTW, I already got disconnected during typing this, that's what instability i'm up against here. Just letting you know - sorry.
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,451
    First Name:
    Derek
    Your only other alternative is take the computer to arepair shop or format it & reinstall windows

    it isn't surprising that you have been infected because you are not up to date with windows updates & using vulnerable software
     
  9. jelleym

    jelleym Thread Starter

    Joined:
    Sep 6, 2001
    Messages:
    634
    Okay. Sending PM response.
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/915624

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice