Relative's PC Is Infected....

[ebozzz]

I don't have much information as of yet. all I know is that the machine is a Toshiba laptop running either Windows XP or Vista. The user has told me that it will boot to the desktop but is extremely sluggish after doing so. That's all I have for now. It's going to be dropped off to me tomorrow, the 17th. Hopefully I will be able to get a little help once it arrives...

[polonus]

Hi ebozzz,

When it come in, go here http://forum.avast.com/index.php?topic=53253.0
and prepare the logs for one of our qualified removers, that could guide you through the cleansing process.
Do nothing to that laptop yet, and follow the qualified removal instructions meticulously to achieve best possible cleansing results,

polonus

[ebozzz]

Polonus,

I will. I've already been reading the threads in the sticky section. It appears that i can get a lot done on my own before asking for the cavalry to bail me out. I'm not going to do anything other than prepare the logs and wait for guidance. This sort of thing is simply not my area of expertise.

[jeffce]

Monitoring... 

[ebozzz]

Ok, I just got home from the job and have the laptop in question.

Toshiba Satellite P205
Windows Vista Home Premium 32-bit
2 GB Ram
T5300 Core2Duo (1.73 GHz x 1.73 GHz)
200 GB HDD (125 GB free)

Based on the description that my relative had provided prior to me getting the machine, I was expecting it to show significant signs of infection. My first impressions are that this machine is not running that bad. It booted into the desktop without much difficulty. I downloaded MBAM onto a flash drive, rebooted it into safe mode, install & update MBAM and I a m a little over 15 minutes into a full scan. 14 detections thus far. While this scan is running I am going to read a few of the sticky threads to get an idea about what logs will be needed. I honestly think this could very well be an easy job....

[ebozzz]

Clumsy me! 42 minutes into the full scan with MBAM and I accidentally closed the application. 

Starting over again now. There were still only 14 detections prior to my mishap....

:Edit: I have all of my other log generating resources downloaded and ready to go one the MBAM is completed. I am gonna walk away for a while so that I don't make any more mistakes!

[jeffce]

Hi,

You don't have to do a full scan...a quick scan is fine. 

[ebozzz]

I always do full scans but the next time I will be aware of that. I don't anticipate being back in here asking for help any time soon! 

Here's the MBAM log. I am getting ready to run OTL now....

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.17.06

Windows Vista x86 NTFS (Safe Mode/Networking)
Internet Explorer 7.0.6000.16982
Jeff :: JEFF-PC [administrator]

4/17/2012 7:05:38 PM
mbam-log-2012-04-17 (19-05-38).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 302715
Time elapsed: 45 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 14
C:\Users\Jeff\AppData\Local\Temp\Low\0.2842084884142906.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\0.45276379251548815.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\0.6396976189294069.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\0.6620275009111668.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\0.7480636890359736.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\0.789415857029859.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\bhr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\eij.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\eud.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\ilj.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\jqi.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\snc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\sri.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Local\Temp\Low\Update.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

(end)

[ebozzz]

OTL.Txt and Extras.Txt files are also attached....

[ebozzz]

aswMBR

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-17 20:43:26
-----------------------------
20:43:26.417    OS Version: Windows 6.0.6000
20:43:26.417    Number of processors: 2 586 0xF02
20:43:26.417    ComputerName: JEFF-PC  UserName: Jeff
20:43:27.322    Initialize success
20:45:13.324    AVAST engine defs: 12041701
20:45:28.238    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
20:45:28.238    Disk 0 Vendor: TOSHIBA_MK2035GSS DK020M Size: 190782MB BusType: 3
20:45:28.253    Disk 0 MBR read successfully
20:45:28.253    Disk 0 MBR scan
20:45:28.253    Disk 0 Windows VISTA default MBR code
20:45:28.269    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS         1500 MB offset 2048
20:45:28.300    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS       189281 MB offset 3074048
20:45:28.316    Disk 0 scanning sectors +390721536
20:45:28.425    Disk 0 scanning C:\Windows\system32\drivers
20:45:39.283    Service scanning
20:46:06.130    Modules scanning
20:46:11.247    Disk 0 trace - called modules:
20:46:11.294    ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
20:46:11.294    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84a9f030]
20:46:11.309    3 ntoskrnl.exe[820a80af] -> nt!IofCallDriver -> [0x849dbf18]
20:46:11.309    5 acpi.sys[8046832a] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x849dd548]
20:46:12.339    AVAST engine scan C:\Windows
20:46:14.819    AVAST engine scan C:\Windows\system32
20:48:54.439    AVAST engine scan C:\Windows\system32\drivers
20:49:09.383    AVAST engine scan C:\Users\Jeff
20:53:48.140    AVAST engine scan C:\ProgramData
20:57:04.528    Scan finished successfully
20:58:51.778    Disk 0 MBR has been saved successfully to "C:\Users\Jeff\Desktop\MBR.dat"
20:58:51.778    The log file has been saved successfully to "C:\Users\Jeff\Desktop\aswMBR.txt"

[ebozzz]

Rogue Killer

RogueKiller V7.3.2 [03/20/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6000 ) 32 bits version
Started in : Safe mode with network support
User: Jeff [Admin rights]
Mode: Scan -- Date: 04/17/2012 21:16:16

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 3 ¤¤¤
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (:0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1       localhost
::1             localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK2035GSS ATA Device +++++
--- User ---
[MBR] 31a51cfdf3c492d70a27f5667d353202
[BSP] 998c3ec9a68bb927f8a39d896677fbf4 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 189281 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: USB 2.0 USB Flash Drive USB Device +++++
--- User ---
[MBR] 9ce65dd10b564194fc9c920b30411fe1
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 3863 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt

[ebozzz]

Rogue Killer

Files 2 & 3 are attached......

[ebozzz]

Fabar Service Scanner

Farbar Service Scanner Version: 16-04-2012
Ran by Jeff (administrator) on 17-04-2012 at 21:30:59
Running from "C:\Users\Jeff\Desktop"
Microsoft® Windows Vista™ Home Premium   (X86)
Boot Mode: Nerwork
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.
Checking LEGACY_SDRSVC: Attention! Unable to open LEGACY_SDRSVC\0000 registry key. The key does not exist.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
Checking LEGACY_BITS: Attention! Unable to open LEGACY_BITS\0000 registry key. The key does not exist.

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem service is OK.
The ServiceDll of EventSystem service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll
[2007-10-25 16:22] - [2007-10-25 16:22] - 0265912 ____A (Microsoft Corporation) 0D5AD0E71FF5DDAC5DD2F443B499ABD0

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

[ebozzz]

Alright, I think that's all of the reccommended logs. I'm anxious to hear what your thoughts are. In the mean time, I am going to boot into the desktop and see if I notice any issues....

[jeffce]

Hi ebozz,

Please download and run ERUNT (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:OTL
O15 - HKU\S-1-5-21-1951984611-3127551431-2383596439-1000\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-1951984611-3127551431-2383596439-1000\..Trusted Ranges: GD ([http] in Local intranet)
O33 - MountPoints2\{1a8aac2a-1174-11e0-8106-001b381c8ddf}\Shell - "" = AutoRun
O33 - MountPoints2\{1a8aac2a-1174-11e0-8106-001b381c8ddf}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

----------