Author Topic: Help me, please. (Read 4348 times)

ElTron · « **on:** June 11, 2008, 04:31:27 AM »

Hello

My ps has been infected by the something very hard. The Avast log is attached.

Restore system is disabled. The XP firewall is disabled and I cannot enable it. The taskmanager was disabled but I could start it againg.

What can I do? Not easy, I think. Is it there any posibility of restore the system without loosing the restore points. (I have verified that the System Volumen Information is empty but I cannot open it)

I have deleted all the files (exes, dll, prefecht, etc, etc) that were created at the time of infection 1:18 of today.

Please help

Lisandro · « **Reply #1 on:** June 11, 2008, 04:57:41 AM »

I suggest:

1. Disable System Restore and reenable it after step 3. This will delete the infected restore points. Why do you need them? But if the System Restore is already disabled... well, the points are gone. You do not have access to System Volume Information folder due to access rights are granted only for the System.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

ElTron · « **Reply #2 on:** June 11, 2008, 04:58:45 AM »

Ok

I post the contents of the avst log:

11/06/2008 1:18:25   SYSTEM   1200   Sign of "Win32:Dialer-407 [trj]" has been found in "C:\DOCUME~1\PC\CONFIG~1\Temp\maxpaynowti.game" file.
11/06/2008 1:18:47   SYSTEM   1200   Sign of "Win32:Tibs-DXY [trj]" has been found in "C:\DOCUME~1\PC\CONFIG~1\Temp\v6xdt4.game" file.
11/06/2008 1:19:09   SYSTEM   1200   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\Program Files\BraveSentry\BraveSentry.exe" file.
11/06/2008 1:19:19   SYSTEM   1200   Sign of "Win32:Homles [trj]" has been found in "C:\Documents and Settings\PC\Configuración local\Archivos temporales de Internet\Content.IE5\RQVAVNLI\17PHolmes[1].cmt\[UPX]" file.
11/06/2008 1:23:17   PC   1412   Sign of "Win32:Tiny-QP [trj]" has been found in "C:\DOCUME~1\PC\CONFIG~1\Temp\maxpaynow.game" file.
11/06/2008 1:23:31   PC   1412   Sign of "Win32:Dialer-407 [trj]" has been found in "C:\DOCUME~1\PC\CONFIG~1\Temp\maxpaynowti.game" file.
11/06/2008 1:24:26   PC   1412   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\PC\CONFIG~1\Temp\0.EXE" file.
11/06/2008 1:24:29   PC   1412   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\PC\CONFIG~1\Temp\0.EXE" file.
11/06/2008 1:25:33   PC   1412   Sign of "Win32:Dialer-407 [trj]" has been found in "C:\Documents and Settings\PC\Configuración local\Archivos temporales de Internet\Content.IE5\ZYTE3Q9Y\gdnOT3256[1].exe" file.
11/06/2008 1:25:33   PC   1412   Sign of "Win32:Tibs-DXY [trj]" has been found in "C:\DOCUME~1\PC\CONFIG~1\Temp\v6xdt4.game" file.
11/06/2008 1:25:33   PC   1412   Sign of "Win32:Homles [trj]" has been found in "C:\Documents and Settings\PC\Configuración local\Archivos temporales de Internet\Content.IE5\ZYTE3Q9Y\17PHolmes[1].cmt\[UPX]" file.
11/06/2008 1:25:33   PC   1412   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\PC\CONFIG~1\Temp\0.EXE" file.
11/06/2008 1:25:33   PC   1412   Sign of "Win32:Dialer-407 [trj]" has been found in "C:\Documents and Settings\PC\Configuración local\Archivos temporales de Internet\Content.IE5\6LNEPTSW\gdnOT3256[1].exe" file.
11/06/2008 1:25:33   PC   1412   Sign of "Win32:Homles [trj]" has been found in "C:\WINDOWS\17PHolmes27.exe\[UPX]" file.
11/06/2008 1:25:33   PC   1412   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\DOCUME~1\PC\CONFIG~1\Temp\bljhfggp.exe" file.
11/06/2008 1:25:36   PC   1412   Sign of "Win32:Homles [trj]" has been found in "C:\WINDOWS\17PHolmes27.exe\[UPX]" file.
11/06/2008 1:25:37   PC   1412   Sign of "Win32:Tibs-DXY [trj]" has been found in "C:\WINDOWS\system32\vedxga4m1et4.exe" file.
11/06/2008 3:08:13   PC   1464   Sign of "Win32:Homles [trj]" has been found in "C:\WINDOWS\17PHolmes27.exe\[UPX]" file.
11/06/2008 3:13:02   PC   1464   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\Documents and Settings\PC\Configuración local\Temp\bljhfggp.exe" file.

Lisandro · « **Reply #3 on:** June 11, 2008, 05:04:42 AM »

Please, follow the other directions I've posted before...

ElTron · « **Reply #4 on:** June 11, 2008, 05:34:53 AM »

All right:

I'm doing all the steps. Avast antirootkit has found c:\windows\system32\drivers\asc3550p.sys but when I push the "Fix Now" button then in the "Fix status" it says: Error!

Now I wiil try report the HijackThis log.

ElTron · « **Reply #5 on:** June 11, 2008, 05:49:48 AM »

I post like attached files the HijackThis log and the runscanner log (run file).

Thank you very much in advance for the help.

One question more: my system has been lost the sound (windows sound and SounMAx). The firewall is still disabled and I cannot enable it. It is there the red securyty icon tray. I have reenabled the system restore but of course there were no restore points

The run file os runscanner cannot be attached here.

ElTron · « **Reply #6 on:** June 11, 2008, 08:47:16 AM »

Any ideas??

Firewall is still disabled. When computer stars all is allright except thar the the icon tray of avast doesn,t turn for a few minutes and the computer seems blocked. I can run taskmanager or ProcessExplorer but I cannot see anything anormal.
In the msconfig start secuence there nothing suspicius but it appears two things called "dumprep 0 -k" and "dumprep 0 -u". What are these entries???

ElTron · « **Reply #7 on:** June 11, 2008, 03:13:09 PM »

Please, any ideas.

It is one thing that I cannot yet understand. When my pc was infectec I only was navigating in the web. Nothing was executed. Nothing stranged was happening. Avast was actived and my firewall also. The infection started simply without any previous signals.

How is it posble this kind of infection???. I mean, I was only surfing by the web and nothing was executed directily by me. How is it possible for a trojan tunneling through the antivirus, disable the system restore and the firewall???. Is is possible??? I can`t believe it.

Now I'm writing from my laptop but the big infected computer will be formated. No information has been lost but now it comes the problem that I am going to spend a lot of time or days reinstalllyng all from zero (Xp, office, all aplications...)

Oh my god....

CharleyO · « **Reply #8 on:** June 12, 2008, 09:30:15 AM »

***

While I am no expert on reading HJT logs, you have several entries with (files missing) and this can be a clue to your problem. The entry with this ... 1033d.exe ... seems to be related to some type of malware.

As for the "dumprep" entries, perhaps it is something you initiated but do not remember and is nothing to worry about. Read here for more information:
http://www.techspot.com/startup/11946/

Why can you not attach the runscanner file here?

Finally, asc3550p.sys is related to a malware named Trojan.KillAV.lz and can be removed with Spyware Terminator. Please visit the next link for more information ...

http://www.spywareterminator.com/item/14999/TrojanKillAVlz.html

Sorry that I could not offer help sooner and I hope the above will help you.

***

Author Topic: Help me, please. (Read 4348 times)

ElTron

Help me, please.

Lisandro

Re: Help me, please.

ElTron

Re: Help me, please.

Lisandro

Re: Help me, please.

ElTron

Re: Help me, please.

ElTron

Re: Help me, please.

ElTron

Re: Help me, please.

ElTron

Re: Help me, please.

CharleyO

Re: Help me, please.