Please help with undetermined infection

Hi,

I'm new here, at least to posting in the forums. I have utilized the downloads section for quite a while and, most recently, the guide to malware removal.

The system I built/ configured for a friend's son became infected with the Skynet Rootkit.

Thanx to your wonderful information regarding malware removal, that system is now clean.

Which brings me to the reason for my visit and solicitation for your assistance.

After discovering the infection on the XP system, I checked my system, which is running Win98SE.

To my horror I found I had two registry keys infected.

I followed your instructions for my OS and cleaned my system. Though all scans came up clean, something didn't feel right.

When I try to access the Internet Properties for IE (not my primary browser), nothing happens. If I open the browser to access the properties, it tells me:

"The operation has been cancelled due to restriction in effect on this computer. Please contact your system administrator."

I can run NAV scans when I manually initiate them but when they are supposed to run as per the schedule within NAV I get the error that there are missing files.

As if that wasn't enough of a headache, in addition to my system resources going so low that I cannot open anything, there is another problem.

I cannot ascertain what is causing this problem, but PeerGuardian 2 shows massive attempts of *something* trying to get out and contact the IPs for things like ClearBlue, Tribal Fusion, PSI Fakes Photobkt, AdBrite, etc. The list goes on and on, as do the attempts to make contact.

This activity, according to PG2, started on 6-29-09. Prior to that, there was no activity, outgoing or incoming.

After the initial detection and removal of the infected registry keys I have completely removed SAS from the system, rebooted and reinstalled.

Please don't be angry... I know your removal guide says not to remove/ install anything, but I initally thought my system was clean. It was only after I discovered the outgoing attempts that I realized I still had a fugly. I was hoping the removal/ reinstallation of SAS would identify it (Spybot is keeping silent regarding this condition.)

But SAS doesn't want to run after it updated, not even in safe mode.

Any assistance you can provide will be greatly appreciated.

I have another system which needs to be checked after this one is cleaned. All three systems were on the network and in communication (sharing files) with each other.

I never discovered the source of the initial Skynet Rootkit infection, so I don't know whether the third sys is also infected.

But, one system at a time.....

Many thanx,

Ringo389

 

Hi,

I wanted to say thank you in advance for your time and assistance.

I am so embarrassed that my system is compromised.

Anywho, after finding the Skynet rootkit on another system on the network (which was sharing files with two of my systems), I scanned the system for which I am seeking your assistance (I'll tackle the third system after this one is clean).

Please do not be angry that there are several logs for each of the programs... I am so exhausted I do not remember which scans I ran before/ after reading your guides. Additionally, I tried to open the logs through Spybot and they all say Nothing Found but Spybot *did* find CoolWWWSearch.Aff.Winshow and Winsoftware.WinAntiVirus2005pro. I apologize for making things more difficult.

SAS will no longer start either in regular mode or safe mode.

Though the options to Lock the IE start page and Lock the Control Panel are NOT checked, I cannot do things like access IE properties, even though it is not my default browser.

I get the error: " This operation has been cancelled due to restriction in effect on this computer. Please contact your system administrator" when I try to perform various tasks.

I also intermittalntly get the error that the control panel is locked when I right-click on my computer.

Before Spybot identified and (hopefully) killed what it had found, by bookmarks were multiplying like crazy. At one point I had over 5050 book mark files, exceeding 560 MB.

Right now I have 13 bookmark files.

Since the problem on my system was discovered, I have not tried to go online, especially since something is trying to contact various adware sites as per Peer Guardian 2. I am using a different system to access your forums.

My system resources go so low, even without using the system, that I cannot open any programs.

I have to do a second post to include the MGLog file.


Many thanx,

Ringo389

 

Hi,

Sorry, I need to give you more than 4 logs... I cannot ascertain which one(s) had the information regarding the infections.

I apolologize for the inconvenience.

Many thanx,

Ringo389

 

Hi,

It's been one of those days... the first logs didn't post....


Ringo389

 

Hi,

Here are the logs you requested.


Many thanx,

Ringo389

 

Hi,

Many thanx for all of your assistance.



Ringo389

 

Hi,

I hate to be a pain, but I still have lingering problems.

The most annoying of which is that my bookmarks are spawning.

While I was not using the system, the bookmark count was holding at 13.

Tonight, I used this system to reply to this forum and the bookmark count went to 18, even though I have NOT saved any new bookmarks.

Now, the count is at 25.

What kind of program causes bookmark files to spawn?


Many thanx,


Ringo389

 

Hi,

I fixed the problem with the bookmarks, and the file was somehow changed to read-only.

I am still trying to discover what it is that is trying to contact multiple advertising sites.

All of the scans have been clean.

Over the past two days I put a spare hdd in my system and put XP pro SP2 on it. I then installed Malwarebytes, SAS, Spybot and AVG8.

I then put my Win98 SE hdd on the secondary channel so I could boot into XP without anything from the original hdd loading.

I found two registry keys infected, which have been removed, but *something* is still trying to contact the advertising sites when I boot with my Win98 SE hdd.

Nothing has identified a problem.

I have not been able to find anything related to this on Google.

Another interesting change is that everytime I run an antivirus scan (Win98 hdd), the file count keeps getting lower.

I am using NAV 2003 Pro, virus defs 20090719.004. (The previous def file was 20090702.)

And since the virus def file was 50+ MB, the count certainly should not have dropped.

This version of NAV, as far as I have been able to ascertain, does NOT skip previously clean/ unchanged files.

I started with 81400+ files and the last scan showed 81003.

Whatever is happening is defying all attempts at identification.

Any ideas would be greatly appreciated.


Many thanx,


Ringo389

 

Hi,

The sys with which I have been dealing is the sys with Win98.

I had installed, temporarily, a hdd which I put on the primary ide channel (the Win98 hdd was put on the secondary channel), and put XP on it so I could run anti malware tools (as well as AVG) that will not run under Win98.

So far all scans are negative.

I had completely wiped weatherbug from the hdd and the registry last week, but kept showing outgoing attempts in PeerGuardian 2.

I had a friend install PG2 on his XP pro sys, also running the paid version of weatherbug, but he did not report any outgoing attempts.

Upon recommendation to install a packet sniffer, I installed Smart Sniff and it is indeed weatherbug that is attempting to access the ad sites.

The blocked outgoing attempts are to numerous sites, including, but not limited to:

PSI Fakes Photobkt Split_B
ClearBlue Technologies
Tribal Fusion
AOL Data Transit Network, Inc.

and the list goes on, but PSI Fakes Photobkt Split_B is the most common.

As for the two files you are questioning, I have no idea what they are or what installed them.

I will change their extensions to see what, if anything, responds negatively, and then will delete them.

Your time and assistance has been greatly appreciated.


Many thanx,


Ringo389

Now I just have one more system to check..... hopefully it will be clean.

 

Hi,

The two files you questioned are legitimate files.

Convdsn.exe is part of MS Office 97, and

Mxntdfg.exe is part of Ontrack SystemSuite.

Should I re-run all of the scans and post the logs?


Many thanx,

Ringo389

 

Hi,

Sorry I haven't been able to respond until now.

Weatherbug is definitely the source of the outgoing attempts.

When I deleted it, and all files in Windows\Temporary Internet and then rebooted, the outgoing attempts stopped.


Ringo389

 

Hi,

Many thanx for all of your time and assistance.


Ringo389