Malware that disabled MSE

Hi. I am helping a friend who got some malware on his computer. Just before Xmas he was checking some forum boards he frequents. He isn't sure if he mis-typed an address or not but suddenly pop-ups started and that was unusual. He then noticed that the little MSE icon in the lower right went red. He opened it, and it was turned off. Hitting the START button launched web windows taking him to sites to "help" him. His firewall was taken down as well. He downloaded and ran spybot and cleaned a bunch of cookies etc, but that didn't fix the problem. He tried to surf to Malwarebytes, but was redirected each time. So he turned it off and waited until I got back from vacation.

He is running a Windows XP 32bit system.

I copied the MajorGeeks directions and programs, including a manual Malwarebytes update, onto a thumb drive and went over. We disconnected his computer from the internet and I ran the protocol as directed. Based on the results of the scans and based on MSE still being in the same unstartable state, I think he still has some issues. Please find attached the logs.

Currently, his computer is disconnected from the internet. I live 2 doors down, so my plan is to use the thumb drive to carry directions down there and work on his computer off-line until such time as you tell me I can put him back up.

Thanks in advance for your help!!

Darin

 

Will do.

Thanks Tim! Have a great dinner!!

Darin

 

Hi Tim. I am attaching a couple of versions of the RogueKiller logs. I had extras as I did a rescan or two.

Mark had turned his computer off. So we rebooted before we began. I did not find the following in RogueKiller to eliminate.

REGISTRY
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-21-220523388-1500820517-1801674531-1005\$2073061477c7966e2e60e649a2ec6816\n) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-18\$2073061477c7966e2e60e649a2ec6816\n) -> FOUND
[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-18\$2073061477c7966e2e60e649a2ec6816\n) -> FOUND

FILES TAB
[ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-18\$2073061477c7966e2e60e649a2ec6816\n --> FOUND
[ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-21-220523388-1500820517-1801674531-1005\$2073061477c7966e2e60e649a2ec6816\n --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\WINDOWS\Assembly\GAC\Desktop.ini --> FOUND

On the files tab, I could not find a way to select or unselect anything. However, the six files that were found after the scan were 6 of the ones you wanted, as follows...

[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$2073061477c7966e2e60e649a2ec6816\@ --> FOUND
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-220523388-1500820517-1801674531-1005\$2073061477c7966e2e60e649a2ec6816\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-18\$2073061477c7966e2e60e649a2ec6816\U --> FOUND
[ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-21-220523388-1500820517-1801674531-1005\$2073061477c7966e2e60e649a2ec6816\U --> FOUND
[ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-18\$2073061477c7966e2e60e649a2ec6816\L --> FOUND
[ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-21-220523388-1500820517-1801674531-1005\$2073061477c7966e2e60e649a2ec6816\L --> FOUND

When we ran the first scan, ZeroAccess was again found by RogueKiller. Hit the delete button. Looked like more than I had manually selected got deleted.

Then ran Hitman, still in the offline mode. Selected both of the problems it found for quarantine and let Hitman fix them. Then instructed the computer to shut down. The computer dumped all of the icons on the screen, but hung with the desktop photo displayed and the mouse responsive. After 4 or 5 minutes of nothing on the screen changing, I used the power button to force-power off. Hate doing that but CTRL-ALT-DEL didn't do anything either so....

Turned it back on and ran both again. RogueKiller still highlighted some things, but no big warning about ZeroAccess. No big warnings from Hitman either. Logs attached.

Thanks!

Darin

 

This is the final log from RogueKiller...

 

Oh, and as an aside, I opened MSE and tried to hit the Start Button. Still couldn't re-start MSE. Perhaps it is simply broken and needs a reinstall.. I didn't know of any other way to look for still-active malware.

Darin

 

Hi Tim.

Ok, done.

Noticed in running the deletes in RogueKiller that after hitting the delete button, only one of the entries I selected was listed as deleted. There were several entries that were ignored, of course, but one of the two I checked wasn't listed as deleted. Don't know if that matters or not.

Also, fwiw, when I got to Mark's this evening and we turned on the monitor, we found that spybot had run an autocheck.

Please let me know what is next.

Thanks!

Darin

 

Thanks Tim.

Sorry for the delay. Got a stomach bug (human virus) and it kinda laid me out for a few days. And now I am cleaning another pc with what appears to be the same darn thing. These human and computer viruses are a real pain!

I passed those simple directions to my buddy. Told him to try to re-run MSE, but that I figured it was broke. Told him to go ahead and uninstall and re-install it and run a scan and see what happened and to report any other problems to me to pass along. (fingers crossed)

Just out of curiosity, how freaked out should he be about changing all his passwords? Is this a big data stealer? Any other security concerns he should have?

Thanks a bunch again.

Darin

 

Hi Tim.

So I passed my friend those directions. Here is what he sent me back.


*********
Deleted those files then upgraded MSE. MSE wanted a Quick scan run, and then a full. Found a Trojan...

http://www.microsoft.com/security/p...e=Trojan:Win32/Sirefef.AB&threatid=2147654467

Which I let MSE remove.

Seems to be good now.
*********


Don't know what the trojan warning is, and don't know if we should trust MSE's removal. Think we are good, or does this warrant more work?

Thanks
Darin

 

Hi Tim.

Here is the log.

Thanks for taking another look!

Darin