Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: For a friend  (Read 4642 times)

0 Members and 1 Guest are viewing this topic.

patio

    Topic Starter
  • Moderator


  • Guru
  • Maud' Dib
  • Thanked: 1389
    • Yes
  • Experience: Beginner
  • OS: Windows 7
For a friend
« on: February 28, 2008, 03:49:24 PM »
Got a panic call from a friend i built a new system for not long ago.
XPPro
All updates in place.
Symptoms: Will not boot to normal mode.
Very quick command prompt window flashes...something about shutdown.exe.
Also a run32 dll error message then the system shuts down.
Followed the suggestions and posting the logs.
The system will run in safemode however i was unable to remove java from add/remove...which is where i tracked one of the baddies down.
It is restricting Admin rights in safemode and also showing Win installer error messages. Whether the 2 are related i can't tell.
Struggling to get eSet to run properly but here are the other 2 logs for now.
Thanx in advance....

[file cleanup - saving space - attachment deleted by admin]
   
"
All generalizations are false, including this one.  "

evilfantasy

  • Malware Removal Specialist
  • Moderator


  • Genius
  • Calm like a bomb
  • Thanked: 482
    • evilfantasy's blog
  • Experience: Beginner
  • OS: Windows 7
Re: For a friend
« Reply #1 on: February 28, 2008, 04:22:07 PM »
Wild log......Feels like a test.

HijackThis v2.0.0 (BETA) We need to get the new version of Hijackthis installed to the default location and post a new log using it.

Can you not run Avast in safe mode to see if it removes any of the malware?

We can do a few things before posting the new HJT log.

Download Trend Micro CWShredder

1. Double click the CWShredder.exe to open the Program and Click on I AGREE to accept the license agreement.
2. Checkmark the option Move CWS files found to the Recycle Bin instead of deleting them as a precaution. We can empty the Recycle Bin later once the infection is cured.
3. Click on Update to ensure the latest updates are installed.
4. Click Fix to let the CWShredder look for and fix any CWS infection it finds.
5. Click OK in the confirmation screen to continue.
  • CWShredder will scan your system for known variants of CWS infections.
  • The scan results are shown.
7. Click Next to continue.
8. Click Exit to exit the program.

----------

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard).
  • Finally add the contents of the Report.txt in your next post.
.
----------

Next post
SDFix log
New Hijackthis log


evilfantasy

  • Malware Removal Specialist
  • Moderator


  • Genius
  • Calm like a bomb
  • Thanked: 482
    • evilfantasy's blog
  • Experience: Beginner
  • OS: Windows 7
Re: For a friend
« Reply #2 on: February 28, 2008, 04:32:46 PM »
Also, what about Superantispyware and Dr Web?

patio

    Topic Starter
  • Moderator


  • Guru
  • Maud' Dib
  • Thanked: 1389
    • Yes
  • Experience: Beginner
  • OS: Windows 7
Re: For a friend
« Reply #3 on: February 28, 2008, 09:01:48 PM »
Avast ran in safe mode...found baddies and cleaned them.
On 2nd scan they were still there so it seems it's replicating itself.
Just so you know everything i've tried up to now seems to almost get rid of things but on subsequent re-boots Failure.
I'll run the CWS and SDFix as well as SAS and Dr.Web.

PS Vundo found nothing.

Again Thanx
   
"
All generalizations are false, including this one.  "

evilfantasy

  • Malware Removal Specialist
  • Moderator


  • Genius
  • Calm like a bomb
  • Thanked: 482
    • evilfantasy's blog
  • Experience: Beginner
  • OS: Windows 7
Re: For a friend
« Reply #4 on: February 28, 2008, 09:53:59 PM »
I would hope that CWS, SAS, DR Web along with SDFix will get most if not everything so I am curious to see the results.

The reason I say it feels like a test is most if not all of the infections shown in HJT have been known for quite some time and aren't much of a problem any more with updated security programs. Nothing "in the wild", which is indicative of a practice log from an online school, a nice mix of bad guys are represented. Although they are some of the more "sticky" ones as you have already found.

Were there error messages during the failed Java uninstalls?

patio

    Topic Starter
  • Moderator


  • Guru
  • Maud' Dib
  • Thanked: 1389
    • Yes
  • Experience: Beginner
  • OS: Windows 7
Re: For a friend
« Reply #5 on: February 28, 2008, 10:07:43 PM »
Attempting to uninstall the 4 or 5 instances of java resulted in a very quick command prompt window and a restart.
Pause/Break key was no help whatsoever.
Just to let you know here's what has been run so far
Avast / deep scan
Spybot
AdAware
AVG Anti-spyware
Stinger ( in safemode)
VUndofix.
NTRegopt

As to the known infections i understand where you're coming from...he's not one for housekeeping and is fairly casual about his protection strategy...however i pretty much have done the basics and i still cannot get the machine to boot properly.
I'll do your follow up tasks and let you know...again Thanx
   
"
All generalizations are false, including this one.  "

evilfantasy

  • Malware Removal Specialist
  • Moderator


  • Genius
  • Calm like a bomb
  • Thanked: 482
    • evilfantasy's blog
  • Experience: Beginner
  • OS: Windows 7
Re: For a friend
« Reply #6 on: February 28, 2008, 10:29:14 PM »
I'm pretty sure NTRegopt is also installed along with SDFix as it uses ERUNT to make the backups created before running and NTRegopt for the cleanup procedure.

Brute force may be needed to uninstall the old java. Not sure how yet as I have never had or seen that particular problem. Have you tried to install the new version of java yet?

I have a feeling that the PC has been infected for a while and it is finally to this point. Hopefully I can help clear the malware to the point where you can work your magic and revive the OS.

Edit: After some tinkering/investigating, try going into C:\program files\java (given program files is the install location)
Open the java folders and see if there are installers there. Running the installer presents the option to modify/remove. Choose remove obviously.

Or, you can find most of the old installers here http://www.filehippo.com/download_java_runtime
And the rest here http://www.oldversion.com/program.php?n=java

The downside of this is you may need a good internet connection for it to work.

« Last Edit: February 29, 2008, 01:01:27 AM by evilfantasy »

patio

    Topic Starter
  • Moderator


  • Guru
  • Maud' Dib
  • Thanked: 1389
    • Yes
  • Experience: Beginner
  • OS: Windows 7
Re: For a friend
« Reply #7 on: February 29, 2008, 09:49:25 AM »
Eset log file attached...
I'm on my way over to his Office now to run the other tools.

[file cleanup - saving space - attachment deleted by admin]
   
"
All generalizations are false, including this one.  "

evilfantasy

  • Malware Removal Specialist
  • Moderator


  • Genius
  • Calm like a bomb
  • Thanked: 482
    • evilfantasy's blog
  • Experience: Beginner
  • OS: Windows 7
Re: For a friend
« Reply #8 on: February 29, 2008, 11:49:15 AM »
From the items found by ESET he earns the backdoor vulnerability speech.

Backdoor Trojans are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use Backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

Read this article: Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one! If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the Backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS.

When should I re-format? How should I reinstall?.
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it will be 100% secure afterwards or that the removal will be successful.

patio

    Topic Starter
  • Moderator


  • Guru
  • Maud' Dib
  • Thanked: 1389
    • Yes
  • Experience: Beginner
  • OS: Windows 7
Re: For a friend
« Reply #9 on: February 29, 2008, 02:51:05 PM »
SDFix ran...reportattached.

[file cleanup - saving space - attachment deleted by admin]
   
"
All generalizations are false, including this one.  "

evilfantasy

  • Malware Removal Specialist
  • Moderator


  • Genius
  • Calm like a bomb
  • Thanked: 482
    • evilfantasy's blog
  • Experience: Beginner
  • OS: Windows 7
Re: For a friend
« Reply #10 on: February 29, 2008, 03:11:02 PM »
That was a let down, nothing found.

Any luck with SAS? Remember to post a new HJT log also (after installing the new version of HJT)

patio

    Topic Starter
  • Moderator


  • Guru
  • Maud' Dib
  • Thanked: 1389
    • Yes
  • Experience: Beginner
  • OS: Windows 7
Re: For a friend
« Reply #11 on: February 29, 2008, 05:54:07 PM »
SAS would not run in safemode...i was kinda suprised by that.

DR Web running now...looks like it'll be awhile.
DLoad of the new HJT and a new scan to follow.
Thanx Again.

patio.
   
"
All generalizations are false, including this one.  "

patio

    Topic Starter
  • Moderator


  • Guru
  • Maud' Dib
  • Thanked: 1389
    • Yes
  • Experience: Beginner
  • OS: Windows 7
Re: For a friend
« Reply #12 on: March 01, 2008, 10:30:56 AM »
OK... at a bit of a standstill here...do i let DRWEB cure all these ? ?
Log attached
Sorry if it's a mess but it saves as a .csv file had to convert it...

[file cleanup - saving space - attachment deleted by admin]
   
"
All generalizations are false, including this one.  "

patio

    Topic Starter
  • Moderator


  • Guru
  • Maud' Dib
  • Thanked: 1389
    • Yes
  • Experience: Beginner
  • OS: Windows 7
Re: For a friend
« Reply #13 on: March 01, 2008, 10:38:28 AM »
New HJTlog

[file cleanup - saving space - attachment deleted by admin]
   
"
All generalizations are false, including this one.  "

evilfantasy

  • Malware Removal Specialist
  • Moderator


  • Genius
  • Calm like a bomb
  • Thanked: 482
    • evilfantasy's blog
  • Experience: Beginner
  • OS: Windows 7
Re: For a friend
« Reply #14 on: March 01, 2008, 11:56:07 AM »
DRWEB should cure/delete all of that. Some are backups from combofix and SDFix and the rest are (I believe) related to the remote tools from the backdoor trojan.

HJT looks much better but still some work to do.

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
O3 - Toolbar: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} - http://212.145.159.194/251065/dialercab/WebRecomendada.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -
O16 - DPF: {D94293A8-568A-4BED-992B-94B9CBDC2148} - http://corp.2by2.net/toolbar/bin/2by2Bar.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -


Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Any luck in updating Java?

It looks like safe mode is still the only option, can you do an online scan in Safe mode with network support? I suppose so since you ran ESET.

BitDefender updated their online scanner recently to include their spyware database so I would like to run that now.

----------


This scanner works with Internet Explorer only
Go to the BitDefender Online Scanner
Click I Agree to the license and then install the ActiveX control.
Please DO NOT change the Scanning Options.
That will make your logs huge and we don't need to see clean files.

Select Start Scan to begin.
This scan can take a while so please be patient and let it complete.


Once Bitdefender completes the scan:
Click-on the Detected Problems tab.
Then select Click here to export the scan report



When the window comes up to save the report, change the Save as type: box to:
Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click Save



This will save a file named bdscan.txt. I would suggest saving it to the Desktop so you can easily find it.
(take notice of where you save it so you can find it later)

This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us

Post the bdscan.txt in the next post as an attachment.

Next post
Bdscan log
New Hijackthis log