Trojan, Worm or just plain Hacked??

Here I am again, after another of my son's sleep overs and my machine has something again. I don't know what it is as nothing seems to identify it. I found a hidden user that had been added (now gone) and my networking (wireless) adapter and associated files all have this user now attached to them that I can't get rid of and it keeps shutting my adapter down so I can't access the internet through my network at home. I am using my other son's computer now to try to get a clue what is going on.

I have run Spybot and got my usual cookies/trackers (4) that keep coming back (log to come).
I have run Super AntiSpyware (log to come) and it found more cookies/trackers.
I have run MBam and it found a trojan which may not have been, but I deleted it anyway in case it was hiding in a known software. (Log to come)

I got to ComboFix and have Never had this issue, it not only got deleted from my desk top when I went to load the installation file, but the copy on my flash drive got deleted--twice!-- as well. I'm going to try to rename it to see if that will trick my computer, but I'm not really too hopeful.

I forgot to copy my log files to my flash drive, but thought I would go ahead and post this in case you have an idea as to what is going on with my computer and post the logs here shortly when I go try the ComboFix again. Right now I'm re-running my Avast scan just because I had nothing else to try at this point until I post my logs and get some direction from you.

You guys are the best! Thanks in advance for your help. I'd be completely down if you didn't help me every time this happens.

 

Tim, sorry about that but my computer is so bad that I ended up turning it off and not retrieving the logs. It's either a Trojan or a worm and I can't seem to get anything to work. It either deletes the file (as in entire program like ComboFix and RootRepeal) or shuts it down and corrupts the files so it can't run. I am at wits end with it. I ran CCleaner and I have never had that many bad registry files in less than one day. I did get the Worm Blaster (? I think that is the program) to run once, but it took 5 hours to complete and then what ever I have returned with a vengeance and now it won't run again. I'm ready to hand my CPU over to my local professional Geek and see what he can do with it. I hate to bother him, but I think this is one of those times I back off and let a pro take over--plus my oldest son's CPU has a bad power supply--and he usually gives a bit of a discount when he fixes two.
Sorry for not getting the logs, I have just run out of time and patience with this one. I have spent just about 2 full days and nights on it and working full time, I don't have any time left. So much for my leisurely vacation day... I'll see if my son has time tomorrow to work with it and post the logs for me with no computer to surf with what else does he have to do? lol

 

Just got back, Tim and I will try that. After I posted that last note, the computer I'm working on has Online Armor that popped up with "Apartment" as an unrecognized script. The second time it popped up, I did some research that sent me to Cisco/Linksys and 3 patches to fix a vulnerability in our wireless router...exactly the problems I was seeing. Apartment is apparently some type of trojan or worm. I will try what you asked and see if I can get anything from it. In the mean time, DS#1 has been directed to update the drivers for the wireless and perhaps we can get somewhere. I'm at least encouraged. Thanks!!

 

I was able to run the AVPFind, but the execHelper link didn't work for me. I found out that my Avast was the culprit that deleted my ComboFix, when I was going and getting my logs. I went ahead and ran the ComboFix which took several hours, but it did run and my computer seems functional, but I turned it off until I hear back from you on how to proceed.

 

Here is the ComboFix Log too

 

Please look below...duh...I posted at the bottom with my logs. Thanks again.

 

As luck would have it, I had initiated that scan this morning before going to work. Here is the MGTools log.

 

Sorry, I missed that one! Here it is.

 

I did what you had me do. The registry update was successful. I have restored the user account control and rebooted my computer. My only problem is I still cannot get my wireless adapter to work. Something is still defeating it. Any ideas?

 

I spent some quality time with Linksys & on line chat. I now have driver v2 for my computer adapter and all is connected, albeit very slow, but probably until my updated anti's get their sea legs, lol. Thanks again.

 

I am still having trouble with my network adapter because of that hidden user I'd picked up when my wireless got hacked. It kept turning it off. Just an FYI, I went into my C: drive sharing and permissions and disabled the account then went and changed everything below the C: drive (yes, using inherited permissions) to my account which is the admin. I still have some locked files, but that did enough to allow my adapter to work once I rebooted.

Do you have any suggestions for getting rid of this? It refers to an "RDH Setup Log" file that is locked and wouldn't allow me to change the ownership. I still have something lurking on my machine, I think, but right now it's beaten into submission. I'm worried it will take over again and it's extremely annoying to have the sound on as the cpu makes the connection/disconnection sound over and over and over again then not be able to connect to the internet.

And yes, I am now as we speak using my very own computer, finally!!! Yeah!!!

 

I am not able to get to it with my skill level. I can only see it with the sharing and permissions. I will post the question there. Thanks!

 

Just a follow up. Although my machine was declared critter free, I continued to have problems until yesterday I could not do anything with it, whether I was in safe mode or what. I spoke with my local Geek about helping me with it and when I told him what the error was, he said that my only choice was to to a factory restore. Crap! I did the F11 as my machine calls for and tried diagnostics, and anything else that might figure out what was going on. One of the detail reports showed: "No Os installed." Bottom line is either I had a boot sector problem or what ever was causing this problem, did so much damage that the OS became unstable.

I have restored it to factory level and tried to reinstall my adapter, but again, something is still trying to turn it off. I think I have retransferred whatever this is to my compter via the flash drive. I am going to reinstall all the software and updates to go back through the critter removal process and see if we can remove it from the flash drive too. Hopefully this time we will get it.

If you have any ideas on alternatives, please let me know.
Thanks for your help, it's been incredible. And may I add how much I hate Vista? :cry

Laura

 

Okay Tim, here is the scoop. I tried to run the Flash Disinfector, but apparently it aroused whatever critter is on this machine. Online Armor kept asking about process that were wanting to run, but I don't know what should be started and what shouldn't. I ran Hijack Free 4.5 and here are the suspicious files: (Sorry, no way to log I don't think--tell me how if there is a way to capture everything for you to evaluate.)
Service:

* Secondary Login => C:\windows\system32\
- Microsoft, version 5.1.2600.5512 (xpsp.080413-2111), copyrighted
(this looks like a hidden user account is why I'm listing it)
*rasacd.sys = > C:\windows\system32\DRIVERS\

When I looked this up, I went ahead and downloaded TFC to remove it. I will come back and let you know what happened next.
Laura

 

I didn't remove it or anything, those running processes told me something was afoot. The TFC was really only a crap cleaner, but it did kill the process I needed to be dormant long enough to run your Flash killer. I ran that second and now I'm starting through the Malware removal process. I will post any logs. BTW, I'm leaving the flash drive in and doing the scans on it as I go. You Flash killer may have already done that, but I'll be sure this way.

Thanks again!
Laura

 

Really, really bad....I started the Root Repeal and made sure it was going then back to the kitchen to fix my son and his buddies breakfast. I just got back to see if I could get the final log and my computer screen only shows "Missing Operating System" with the cursor blinking just after the m.

I'll give you the logs I have. I just don't know what to do. Please help! Thank you in advance.

Laura
PS These are the only two log I had saved on my flash drive.:cry

 

This CPU didn't have a disk, just a special factory partition with the software on it. Can we work with that? I normally would have purchased the disk, so let me go make sure that I don't have it. I don't remember having one for this computer, though. Will get back to you. Thanks again.

 

Tim,
I hope this is good news. I do have 3 disks labeled Recovery Disk and each is sequentially numbered. Will these work?
Laura

 

Not a problem as it was already at factory installation level. I tried all of the fixes, check for errors, etc and one of the helpers here plus my local geek both told me I had to reload the OS and that I would lose everything. Guess the best part is I hadn't reloaded very much other than my network adapter and my antivirus and antispywares.

I didn't try to boot to the bios. I'm not sure how to do that, but I will do some research to see what I need to do. I've only done that a few times and they were all when I was talking to a support person on the phone.

Thanks!

 

That is what I was going to try, but thank you for confirming it. Will let you know what happens.

Laura

 

I'm going to go try now...I just am dreading this....

 

Here's what happened:
I went into the startup options and my machine was already set to boot from the disk drive, then hard disk .

I put the recovery disk in and opted for repairing the Windows installation
I didn't see it end and there was a statement that it may take several times through the repair to get it all fixed up. That second time, I waited to see what happened and this is the resulting message:

Unable to repair windows automatically. (then the typical disclaimer to contact your network admin or computer manufacturer)

Problem event / Name
01 / unknown
02 / 6.0.6001.18000.0.0.0.0
03 / 0
04 / 65537
05 / unknown
06 / NoOsInstalled
07 / 0
08 / 1
09 / Fix Partition Table
10 / 1168
OS Ver: 6.0.6001.2.1.0.256.1
Local ID: 1033

I have initiated the reinstallation from the recovery disks. Let me know if this means it's a hardware issue.

Thanks again,
Laura

 

I went back and tried again, had to use the disk to get the recovery started, but since the computer doesn't like disk 1, I tried to use the recovery from the HDD, but got the error:

Error 0x4001001300001002

So, I clicked next and it tried to boot before I could catch it and I got tis:

Bootmgr is missing
Press <CTRL> <ALT> <DELETE> to restart

Put the recovery disk 1 back in and again try from the HDD and the same error as before:

Error 0x4001001300001002

I don't have to be a genius to see the writing on the wall. Bad HDD? What is your opinion or experience?

Thanks again
Laura

 

Note to myself so I can download this at home:

http://neosmart.net/blog/2008/windows-vista-recovery-disc-download/

what have I got to lose? (Sorry, had no other means to get it to me there)

 

All that is fine until I get to the "click the operating system you want to repair." My screen shows absolutely nothing, no O/S, nothing and then asks to install the HDD drivers.

I'm going to see if I downloaded the wrong version of Vista since my reinstallation disks won't work. Nice, huh? I'm in a real pickle. When I look at the windows partition it shows 0 bytes used. Whatever got into my system has apparently effectively deleted these files. I'm also reading that the reinstallation protocol originally provided by MS didn't work on any system.

I appreciate your following up. I had to help get the house ready for Christmas tonight so I'm working on this instead of sleeping. Gonna pay for this too. :zzz

Thanks,
Laura

 

I was able to get to the DOS prompt. I did the repairs and it reported success. I actually ended up doing two types of Bootrec.exe, the /Fixmbr and /FixBoot. Both reported success, but still I seem to be missing the drivers. I can't find a driver disk and it can't find them even though it looks like they are all there.

While in DOS, I checked the directories and my C: drive is completely empty. My D: drive is now what my E: drive used to be and somehow my D: drive (the recovery partition) is now labeled as the E: drive. Does this have anything to do with my problem?

When I try to do the Windows repair, I get the following error messages:
Problem signature:
Problem Event Name: StartupRepairV2
Sig01: External Media
Sig 02: 6.0.6000.16386.0.0.0.0
Sig 03: 0
Sig 04: 65537
Sig 05: unknown
Sig 06: MissingBootManager
Sig 07: 0
Sig 08: 2
Sig 09: WrpRepair
Sig 10: 21
OS Version: 6.0.6000.2.0.0.256.1
Locale ID: 1033

Do I need to take this to the Software Suport forum? Do you have a Vista reinstallation instruction?

Thanks again for all your help.
Laura