read and run me first report - problem running several scans

Discussion in 'Malware Help (A Specialist Will Reply)' started by jiminycricket13, Jul 7, 2009.

  1. jiminycricket13

    jiminycricket13 Private E-2

    I have Microsoft XP. When on surfthechannel.com 7/5/2009, a phony antivirus program popped up (forgot the name) along with a bunch of other popups (both internet popups and virus notifications from "microsoft" that came from the phony antivirus logo on the bottom right hand corner by the clock). I didn't do anything but close all the windows as they popped up. We ran Malaware, Spybot, and free AVG, which found tons of trogans and the likes, but the problem did not resolve at reboot. The AVG log is attached, I know this is not one you ask for in read and run me first, so ignore it if you would like =) The malaware log was as follows:
    Malwarebytes' Anti-Malware 1.31
    Database version: 1597
    Windows 5.1.2600 Service Pack 3

    2009-07-06 13:01:53
    mbam-log-2009-07-06 (13-01-53).txt

    Scan type: Quick Scan
    Objects scanned: 61525
    Time elapsed: 20 minute(s), 0 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 1
    Registry Keys Infected: 3
    Registry Values Infected: 4
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 9

    Memory Processes Infected:
    C:\WINNT\sysguard.exe (Trojan.FakeAlert) -> Unloaded process successfully.

    Memory Modules Infected:
    C:\WINNT\system32\__c007AE69.dat (Trojan.Agent) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\AXPDefender (Rogue.AdvancedXPDefender) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c007ae69 (Trojan.Vundo) -> Delete on reboot.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f2610b0a.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows system recover! (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lowriskfiletypes (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINNT\system32\gsf83iujid.dll (Trojan.Zlob.H) -> Delete on reboot.
    C:\Documents and Settings\Carmen\Local Settings\Temporary Internet Files\Content.IE5\0VJJQKPT\flvjj[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Carmen\Local Settings\Temporary Internet Files\Content.IE5\2MCDQYZN\fcdzd[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Carmen\Local Settings\temp\_A00F2610B0A.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Carmen\Local Settings\temp\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\__c007AE69.dat (Trojan.Vundo) -> Delete on reboot.
    C:\WINNT\sysguard.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINNT\system32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Carmen\Local Settings\temp\taskmgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

    Now, when the computer is started, there is no taskbar at the bottom of the screen (no start menu or time) and no icons on the desktop. I was able to open task manager and access programs from there.
    At this point I began to follow the read and run me first. (sorry, so much for first...)

    CCleaner ran without a problem on both of my accounts (administrator and one other).

    I could not enable viewing of hidden files because I can't find control panel from the 'run' option in task manager

    When attempting to open SAS, the following error message occured: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." When I attempted to download it again (it had already been on my system from a previous bout with read and run me), my internet would stop working when I got to the download page (connection error), but resume normally on any other page.

    Malwarebytes ran fine for a second time Log is as follows:
    Malwarebytes' Anti-Malware 1.31
    Database version: 1597
    Windows 5.1.2600 Service Pack 3

    2009-07-07 00:24:02
    mbam-log-2009-07-07 (00-24-02).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 151052
    Time elapsed: 35 minute(s), 58 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 5
    Registry Values Infected: 5
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 16

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\protect (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\protect (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\protect (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\AXPDefender (Rogue.AdvancedXPDefender) -> Delete on reboot.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows system recover! (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINNT\system32\grffr83hn.dll (Trojan.Zlob.H) -> Quarantined and deleted successfully.
    C:\WINNT\services.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
    C:\WINNT\system32\reader_s.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
    C:\WINNT\system32\drivers\protect.sys (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\Temp\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\Temp\svchost.exe (Trojan.Agent) -> Delete on reboot.
    C:\Documents and Settings\NetworkService\reader_s.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Carmen\reader_s.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINNT\Temp\taskmgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


    Combofix would not open, when I attempted, I got an error message saying it was unsafe to proceed, that I may have a patching virus called "Virut," and that I should download combofix again from bleepingcomputer, which I did, and got the same error message.

    Root Repeal and MG tools worked fine
    The logs are attached. Thanks in advance for your help!
     

    Attached Files:

    jiminycricket13, Jul 7, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    IMPORTANT NOTE: Some if not many, of your Windows system files are infected. And many other non-Windows files could also be infected. Even if we attempt to fix these problems (which may not be easy to do unless you have an original Windows XP SP3 bootable CD), your system may be unreliable and untrustworthy.You may need to reinstall this system.

    Your logs show that your Windows Operating system files have become infected and there is no known reliable fix for this. In addition there are many many other infected files. We could spend a lot of time trying to remove this infection, but odds are that it will not work because the nature of the infection has so many executable system files infected that as soon as we fix one file, other files that are infected will almost immediately or upon the next reboot, just reinfect the files. In addition, your PC would still basically be unreliable/untrustworthy even if we manage to fix the infected files that we can see since there could be many more that we are not seeing.

    The safest thing for you to do is backup your personal data immediately since your PC could possible become unbootable at any point in time. Do not back up any executable files. This includes programs that you have downloaded since any of them could be infected.

    Once you backup, you need to perform a total reinstall of Windows and all other necessary software. DO NOT reinstall from any executable files you backed up because they are most likely infected.
     
    TimW, Jul 8, 2009
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds