recovering patient.....

[independent]

I'm working on a PC running XP and working through virus issues. I think I've successfully addressed a number of issues via Malwarebytes (thank you), TDSSkiller amd CCleaner.

I believe my problems have been a google redirect virus. This seems to be at least partially addressed with browsers now functional but, MB is blocking/preventing some ongoing malicious activity.

TDSSkiller reports to have taken care of a root kit virus.

I originally had a process running that was filling up temporary internet files with GB of data, filling the hard drive.

Most of this seems to be resolved but, I have a lingering problem identified by MB and it seesm related to an Adobe sp.DLL file......any insight or guidance in resolving this si greatly appreciated.

And thank you for you product!

log below:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400

www.malwarebytes.org

Database version: v2012.04.12.08

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

rob :: MONTGOMERY [administrator]

Protection: Enabled

4/12/2012 3:58:04 PM

mbam-log-2012-04-13 (09-39-41).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 206565

Time elapsed: 39 minute(s), 6 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 1

C:\Documents and Settings\NetworkService\Application Data\Adobe\sp.DLL (Trojan.Proxy) -> No action taken.

Registry Keys Detected: 4

HKCR\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (Trojan.Proxy) -> No action taken.

HKCR\sp (TrojanProxy.Agent) -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\sp (TrojanProxy.Agent) -> No action taken.

HKLM\System\CurrentControlSet\Services\SPService (TrojanProxy.Agent) -> No action taken.

Registry Values Detected: 3

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{96AFBE69-C3B0-4B00-8578-D933D2896EE2} (Trojan.Proxy) -> Data: sp -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Data: -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost|netsvc (TrojanProxy.Agent) -> Data: SPService^w^ -> No action taken.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Documents and Settings\NetworkService\Application Data\Adobe\sp.DLL (Trojan.Proxy) -> No action taken.

(end)

[LDTate]

No action taken.

Are you removing what MBAM finds?

[independent]

Hi, Thanks for the response.

In previous scans I've removed the quarantined items and it resulted in Windows not completing startup. It goes into a loop of continual attempts to start.

The only remedy has been reverting to last known good configuration.

I've also tried only deleting the sp.DLL file with the same failed startup result.

I have not yet allowed to MWB to remove the results of this lastest scan. I decided to post here first. I did however try manually removing the sp.DLL file and am not allowed to delete it.

I will not have access to the PC again until Monday morning.

[LDTate]

When you can, lets try this first:

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs from these scans, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Download TDSSKiller from here and save it to your Desktop.

Note: if the Cure option is not there, please select 'Skip'.

Please read carefully and follow these steps.

1. Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
   
   
2. Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
   
   
3. Click the Start Scan button.
   
   
4. If a suspicious object is detected, the default action will be Skip, click on Continue.
   
   
5. If malicious objects are found, they will show in the Scan results and offer three (3) options.
   
6. Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
   
   

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

[independent]

Thanks LDTate,

I already have TDSSkiller installed and ran it last week. It reported that a malicious rootkit program was successfully removed.

I subsequently ran another MWB scan, as I was still getting MWB pop-ups that a malicious outgoing process was being blocked.

So, the MWB log above is what remains after running TDSSkiller.

Not sure if I have that report is saved or if the TDSSkiller program will allow me to acces a copy of the report Monday.

Been trying to work through this on my own

Should I try another round of TDSSkiller?

[LDTate]

Should I try another round of TDSSkiller?

Yes and post the results please.

[independent]

Hi LDTate....happy Monday.

I ran TDSSkiller again this morning and 0 threats found, 0 threats neutralized, 0 objects quarantined.

I then ran a MWB quick scan again with the following results:

(At this point I've not asked MWB to remove the items)

Malwarebytes Anti-Malware (Trial) 1.61.0.1400

www.malwarebytes.org

Database version: v2012.04.12.08

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

rob :: MONTGOMERY [administrator]

Protection: Enabled

4/16/2012 9:36:02 AM

mbam-log-2012-04-16 (10-47-53).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 206855

Time elapsed: 26 minute(s), 13 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 1

C:\Documents and Settings\NetworkService\Application Data\Adobe\sp.DLL (TrojanProxy.Agent) -> No action taken.

Registry Keys Detected: 4

HKCR\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> No action taken.

HKCR\sp (TrojanProxy.Agent) -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\sp (TrojanProxy.Agent) -> No action taken.

HKLM\System\CurrentControlSet\Services\SPService (TrojanProxy.Agent) -> No action taken.

Registry Values Detected: 3

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{96AFBE69-C3B0-4B00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Data: sp -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Data: -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost|netsvc (TrojanProxy.Agent) -> Data: SPService^w^ -> No action taken.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Documents and Settings\NetworkService\Application Data\Adobe\sp.DLL (TrojanProxy.Agent) -> No action taken.

(end)

[LDTate]

Run MBAM and remove those.

[independent]

Removed items from previous MBAM scan and restarted. Restart was perfect.

Ran MBAM scan again to check. Here are the results.....looks like it's clean!

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.04.12.08

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

rob :: MONTGOMERY [administrator]

Protection: Enabled

4/16/2012 11:01:59 AM

mbam-log-2012-04-16 (11-01-59).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 206619

Time elapsed: 32 minute(s), 49 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[LDTate]

You can delete TDSSKiller.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good

• Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
  (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
• Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
  Without a firewall your computer is succeptible to being hacked and taken over.
  I am very serious about this and see it happen almost every day with my clients.
  Simply using a Firewall in its default configuration can lower your risk greatly.
  
• Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.
  •Free browser plug-in for Internet Explorer and Firefox
  •Real-time safety ratings
  •Ideal for Facebook, Twitter and LinkedIn
  
• JAVA Click this link and click on the Free JAVA Download
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
  This will ensure your computer has always the latest security updates available installed on your computer.
  If there are new updates to install, install them immediately, reboot your computer, and revisit the site
  until there are no more critical updates.
  

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

• Dynamically Blocks Malware Sites & Servers
  
• Malware Execution Prevention
  

Save yourself the hassle and get protected.

[independent]

Thanks for the "all clean" guidelines and links.

Personal thanks to you LT, for the one-on-one assistance. You are a super hero and rock star all rolled into one.

And to MWB for truth, justice and all that is good.

Have a great day.

[LDTate]

You're more than welcome.

Glad we were able to help

Peace be with you

[LDTate]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.