Philmin Posted November 25, 2012 ID:617160 Share Posted November 25, 2012 My wife clicked on an attacment for an itune card, just fill out the survey for HULU. It appears services were lost. DHCP, malwarebytes, wireless networks...etc. Also slow and sluggish. In the safe mode I was able to scan using a very old definition file malwarebyte program. Seems I have "Exploit.Drop" Saw a thread for Exploit.drop.9. It was not very clear to me how to do this removal for a Vista Home Premium system. No network access at this time. Thumbdrives not recognized. Any help appreciated! Very close to use recovery disks and start over. I have a backup for my docs. Thanks,Phil Link to post Share on other sites More sharing options...
Philmin Posted November 26, 2012 Author ID:617240 Share Posted November 26, 2012 I got roguekiller to run. Here is the report;RogueKiller V8.3.1 [Nov 25 2012] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/Website : http://tigzy.geekstogo.com/roguekiller.phpBlog : http://tigzyrk.blogspot.com/Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits versionStarted in : Safe modeUser : SusieM [Admin rights]Mode : Scan -- Date : 11/25/2012 18:40:37¤¤¤ Bad processes : 1 ¤¤¤[sUSP PATH] HelpPane.exe -- C:\Windows\HelpPane.exe -> KILLED [TermProc]¤¤¤ Registry Entries : 4 ¤¤¤[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver : [NOT LOADED] ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> C:\Windows\system32\drivers\etc\hosts127.0.0.1 localhost::1 localhost¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: +++++--- User ---[MBR] 5588a7e3380694430a56e77d3d1b42bf[bSP] 8369f79d6a8806abc521b080ee75eb65 : Windows Vista MBR CodePartition table:0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 229555 Mo2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 473202688 | Size: 7419 MoUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[1]_S_11252012_02d1840.txt >>RKreport[1]_S_11252012_02d1840.txtAny help appreciated,Phil Link to post Share on other sites More sharing options...
Maniac Posted November 26, 2012 ID:617329 Share Posted November 26, 2012 Hello Phil and ! My name is Maniac and I will be glad to help you solve your malware problem.Please note:If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.Make sure you read all of the instructions and fixes thoroughly before continuing with them.Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.My wife clicked on an attacment for an itune card, just fill out the survey for HULU. It appears services were lost. DHCP, malwarebytes, wireless networks...etc. Also slow and sluggish. In the safe mode I was able to scan using a very old definition file malwarebyte program. Seems I have "Exploit.Drop" Saw a thread for Exploit.drop.9. It was not very clear to me how to do this removal for a Vista Home Premium system. No network access at this time. Thumbdrives not recognized. Any help appreciated! Very close to use recovery disks and start over. I have a backup for my docs. Thanks,PhilWith all of these problems expect us a very serious struggle, which in your case it is easy for a few minutes can be solved. I highly recommend this, but if we want to continue with the removal procedure, let me know. Link to post Share on other sites More sharing options...
Philmin Posted November 29, 2012 Author ID:618156 Share Posted November 29, 2012 Maniac,I am a paid member using Malwarebytes on my computer. My wife is using mcAfee supplied from the local cable company. What do you mean by being a paid member? Link to post Share on other sites More sharing options...
Maniac Posted November 29, 2012 ID:618235 Share Posted November 29, 2012 You have paid for Malwarebytes' Anti-Malware PRO edition. Link to post Share on other sites More sharing options...
Philmin Posted November 29, 2012 Author ID:618266 Share Posted November 29, 2012 Yes, I have the pro version. Can you advise from looking at my previous post with the RougeKiller report?Phil Link to post Share on other sites More sharing options...
Maniac Posted November 30, 2012 ID:618518 Share Posted November 30, 2012 Please re-read my post again:With all of these problems expect us a very serious struggle, which in your case it is easy for a few minutes can be solved. I highly recommend this, but if we want to continue with the removal procedure, let me know. Link to post Share on other sites More sharing options...
Philmin Posted December 1, 2012 Author ID:618678 Share Posted December 1, 2012 I am willing to try the repair. If all else fails I have the recovery disk to reload. What can I do first? Thanks for help!Phil Link to post Share on other sites More sharing options...
Maniac Posted December 1, 2012 ID:618757 Share Posted December 1, 2012 Please download Malwarebytes Anti-Rootkit from here.Unzip the contents to a folder in a convenient location.Open the folder where the contents were unzipped and run mbar.exe ( right click and select Run as adminsistrator for Vista and Windows 7)Follow the instructions in the wizard to update and allow the program to scan your computer for threats.Click on the Cleanup button to remove any threats and reboot if prompted to do so.Wait while the system shuts down and the cleanup process is performed.Please post the two logs produced. Link to post Share on other sites More sharing options...
Philmin Posted December 1, 2012 Author ID:618851 Share Posted December 1, 2012 1st logMalwarebytes Anti-Rootkit 1.1.0.1009www.malwarebytes.orgDatabase version: v2012.12.01.07Windows Vista Service Pack 2 x86 NTFS (Safe Mode)Internet Explorer 9.0.8112.16421SusieM :: SUSIEM-PC [administrator]12/1/2012 12:08:38 PMmbar-log-2012-12-01 (12-08-38).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/ShurikenScan options disabled: PUP | PUM | P2PObjects scanned: 29761Time elapsed: 11 minute(s), 33 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 6C:\Users\SusieM\AppData\Local\Temp\msimg32.dll (RootKit.0Access) -> Delete on reboot. [2b48a518f56864d294ebe2fa08f841bf]C:\Users\SusieM\Local Settings\Temp\msimg32.dll (RootKit.0Access) -> Delete on reboot. [b9ba6d508cd1d75fb5ca03d942bed828]C:\Users\SusieM\Local Settings\Application Data\Temp\msimg32.dll (RootKit.0Access) -> Delete on reboot. [e58ec9f4b2ab4de9b8c7528a0af6c937]C:\Users\SusieM\Local Settings\Temporary Internet Files\Content.IE5\VAXFSBM9\load_53[1].exe (RootKit.0Access) -> Delete on reboot. [3c370bb2dd8045f1770836a617e9619f]C:\Users\SusieM\Local Settings\Application Data\Temporary Internet Files\Content.IE5\VAXFSBM9\load_53[1].exe (RootKit.0Access) -> Delete on reboot. [bcb7308df469f44289f6c616da268878]C:\Users\SusieM\AppData\Local\Temporary Internet Files\Content.IE5\VAXFSBM9\load_53[1].exe (RootKit.0Access) -> Delete on reboot. [5f14ad10fc613ef8403f94487c842ed2](end)2nd log rescanMalwarebytes Anti-Rootkit 1.1.0.1009www.malwarebytes.orgDatabase version: v2012.12.01.07Windows Vista Service Pack 2 x86 NTFS (Safe Mode)Internet Explorer 9.0.8112.16421SusieM :: SUSIEM-PC [administrator]12/1/2012 12:26:02 PMmbar-log-2012-12-01 (12-26-02).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/ShurikenScan options disabled: PUP | PUM | P2PObjects scanned: 29733Time elapsed: 11 minute(s), 25 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)Maniac,Could only run the scans in SAFE MODE. After the removal of the infected files, I rebooted. The computer still runs slow. Same services not operational. what is next? Thanks,Phil Link to post Share on other sites More sharing options...
Maniac Posted December 2, 2012 ID:619057 Share Posted December 2, 2012 BACKDOOR WARNINGOne or more of the identified infections is known to use a backdoor.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:Help: I Got Hacked. Now What Do I Do?Help: I Got Hacked. Now What Do I Do? Part IIHow Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please let me know. Link to post Share on other sites More sharing options...
Philmin Posted December 2, 2012 Author ID:619091 Share Posted December 2, 2012 Maniac,The infected laptop was never physically wired to a network. It was on my wireless network at home. When the laptop became infected the wireless function stopped working as well as some other services. I have been using my desktop to communicate to you and download the programs for malware bytes and transferring to USB drive. I will use the recovery disks for the Toshiba laptop and reinstall OS. Thanks for your help and advice.Phil Link to post Share on other sites More sharing options...
Maniac Posted December 2, 2012 ID:619274 Share Posted December 2, 2012 Some malware preventions for you Phil:users.telenet.be/bluepatchy/miekiemoes/prevention.htmlSafe surfing! Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 3, 2012 ID:619557 Share Posted December 3, 2012 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts