Jump to content

Recommended Posts

Hi Exile,

Thanks for checking on me. I am shocked by this sudden decision not to work with me. I had been advised to purchase the USB to Ethernet device. I certainly thought the forum members would continue to work with me once I got it. Now, I'm already half a day behind as my project began at 9 a.m. and closes online at 9 p.m.

I did contact Customer Support, via email.

Share this post


Link to post
Share on other sites

Kate:

"You can lead a horse to water but you can't make him drink"

No, I am not calling you a horse. I am using this old phrase because the concept is apropos. Firefox interjected and I stated then I would defer. You chose not to follow Firefox's advice. And so we continued. I suggested a USB Ethernet adapter on March 5th. As I wrote on the morning of March 6th...

I believe you noted that your project starts the 8th of March. If yes then is mail order the best way to go about this ?

I think you should go to your local BestBuy (and other office supply stores that I previously listed) and get a USB 2.0 to Ethernet adapter off the shelf so you have it and know its working PRIOR to the onset of your project.

I tried to impart upon you the concept of getting it done then while you had the time. You chose not to obtain it until the last minute. This left you no wiggle room.

I TRUST Melboy's opinion that he saw signs of a ZeroAccess RootKit in logs you posted on March 2cnd. Which brings us back to Firefox's post on March 2cnd. It is our POV that these issues had a priority. We can't make you follow our suggestions but will abide by your decisions.

** USB Ethernet adapter's should include a CDROM with OS drivers such that the OS can use it as an Ethernet controller. You would then install those drivers subsequently connecting the Ethernet cable to that Belkin device. Then power cycle the Westell Modem+Router such that it will recognize a new device is connected to it.

Share this post


Link to post
Share on other sites

Hi Exile,

Thanks for checking on me. I am shocked by this sudden decision not to work with me. I had been advised to purchase the USB to Ethernet device. I certainly thought the forum members would continue to work with me once I got it. Now, I'm already half a day behind as my project began at 9 a.m. and closes online at 9 p.m.

I did contact Customer Support, via email.

Hi Kate,

I'm sorry to hear that and I definitely understand the frustration. I think the problem at the heart of it is that David and the others weren't clear that your system might actually be infected, and once they became aware of it, chose to play it safe and go with the best practice (and typically our policy for this forum) which is to get you cleared of infections first prior to attempting to work on any other problems with the computer. This is advisable because typically malware related issues can be at the heart of all the other troubles and attempting to work around the problems caused by infection may end up damaging the system in the long run and may make cleaning the infections much more difficult or even impossible once cleanup is attempted.

Basically we don't want to do more harm than good and end up with you having to possibly reformat your computer and losing your data etc. because we tried to fix a problem with your PC while it was infected.

I hope that clears it up some and hopefully they'll be able to address your issues promptly and get you up and running again so you can get your project done and be malware free.

Share this post


Link to post
Share on other sites

Thanks again Exile for explaining the POV. I am going to try and do my project with a broken system. If not, I will lose 25 days of pay. The way these things go, I have 3 days to train, test on 4th day, pass certification, then score. It's constructed response scoring for a leading educational scoring company. Often ramping up is a long and very difficult process. I have to learn and absorb a 16 point rubric and decide where in those 16 points a score lies on a holistic basis. Very, very hard stuff. Missing an entire day of training may spell distaste for me. C'est la vie & hasta luego.

Share this post


Link to post
Share on other sites

I would urge you to get your system cleaned. Sirefef is a serious infection.

http://www.microsoft...Win32%2FSirefef

Win32/Sirefef is a multi-component family of malware that uses stealth to hide its presence on your computer. Due to the nature of this threat, the payload may vary greatly from one infection to another, although common behavior includes:
  • Downloading and executing of arbitrary files
  • Contacting remote hosts
  • Disabling of security features

Caution: Win32/Sirefef is a dangerous threat that uses advanced stealth techniques in order to hinder its detection and removal. As a consequence of being infected with this threat, you may need to repair and reconfigure some Windows security features.

Payload

Downloads and executes arbitrary files

Sirefef utilizes a peer-to-peer (P2P) protocol to download or update additional malware components from remote peers. The downloaded components are saved to the U\ directory in a hidden folder that it creates for this purpose. The downloaded components may:

  • Moderate your Internet experience by modifying search results
  • Generate pay-per-click advertising revenue for its controllers
  • Run Bitcoin (digital currency) mining on the affected computer

Stops and deletes security-related services

Sirefef attempts to stop and delete the following security-related services:

  • Windows Defender Service (windefend)
  • IP Helper Service (iphlpsvc)
  • Windows Security Center Service (wscsvc)
  • Windows Firewall Service (mpssvc)
  • Base Filtering Engine Service (bfe)

Contacts remote hosts

Sirefef contacts a remote host to send information about your computer. This information may then be used to create a network of infected computers that the attacker may utilize for practically any purpose.

Share this post


Link to post
Share on other sites

Thanks melboy

I've been in contact with the user via PM and will probably advise her to seek Help Desk assistance. I wanted to go through the logs and see what sign there is/was as there seems to possibly be conflicting information.

Share this post


Link to post
Share on other sites

Well I see now that in post #6 Firefox already brought it to attention that assistance in the HJT forum may be needed and I agree.

Something is causing the services to not be found or shown as confirmed in the Event Logs.

==== Event Viewer Messages From Past Week ========

.

3/1/2013 4:21:44 AM, Error: Microsoft-Windows-Bits-Client [16398] - A new BITS job could not be created. The current job count for the user Laptop\Kate (60) is equal to or greater than the job limit (60) specified through group policy. To correct the problem, complete or cancel the BITS jobs that haven't made progress by looking at the error, and restart the BITS service. If this error recurs, contact your system administrator and increate the per-user and per-computer Group Policy job limits.

3/1/2013 4:19:23 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

3/1/2013 4:19:23 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

3/1/2013 4:19:16 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

2/24/2013 1:58:55 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the HPWMISVC service.

.

==== End Of File ===========================

Perhaps my fault for not stepping in on that but I guess I was under the assumption that the topic had moved beyond that already when in fact it appears that it has not.

PLEASE DO NOT provide any further PC type advice here. This computer would appear to potentially be infected and that needs to be addressed first.

Thanks everyone.

Share this post


Link to post
Share on other sites

Just so that everyone is aware. Yes the computer was in fact infected.

Malwarebytes Anti-Rootkit BETA 1.01.0.1021

www.malwarebytes.org

Database version: v2013.03.09.05

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

Kate :: LAPTOP [administrator]

3/9/2013 12:27:22 AM

mbar-log-2013-03-09 (00-27-22).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 31426

Time elapsed: 14 minute(s), 40 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 1

HKCU\SOFTWARE\CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} (Hijack.Trojan.Siredef.C) -> Delete on reboot.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 3

HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32| (Trojan.0Access) -> Bad: (C:\$Recycle.Bin\S-1-5-21-289773050-473075134-3857204749-1000\$34abdb91f75e6e4d3541138e74b7a4fe\n.) Good: (shell32.dll) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\INPROCSERVER32| (Trojan.0Access) -> Bad: (C:\$Recycle.Bin\S-1-5-18\$34abdb91f75e6e4d3541138e74b7a4fe\n.) Good: (fastprox.dll) -> Delete on reboot.

HKLM\SOFTWARE\CLASSES\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\INPROCSERVER32| (Hijack.Trojan.Siredef.C) -> Bad: (C:\$Recycle.Bin\S-1-5-18\$34abdb91f75e6e4d3541138e74b7a4fe\n.) Good: (%systemroot%\system32\wbem\fastprox.dll) -> Delete on reboot.

Folders Detected: 6

c:\$RECYCLE.BIN\S-1-5-18\$34abdb91f75e6e4d3541138e74b7a4fe\U (Trojan.Siredef.C) -> Delete on reboot.

c:\$RECYCLE.BIN\S-1-5-21-289773050-473075134-3857204749-1000\$34abdb91f75e6e4d3541138e74b7a4fe\U (Trojan.Siredef.C) -> Delete on reboot.

c:\$RECYCLE.BIN\S-1-5-18\$34abdb91f75e6e4d3541138e74b7a4fe\L (Trojan.Siredef.C) -> Delete on reboot.

c:\$RECYCLE.BIN\S-1-5-21-289773050-473075134-3857204749-1000\$34abdb91f75e6e4d3541138e74b7a4fe\L (Trojan.Siredef.C) -> Delete on reboot.

c:\$RECYCLE.BIN\S-1-5-18\$34abdb91f75e6e4d3541138e74b7a4fe (Trojan.Siredef.C) -> Delete on reboot.

c:\$RECYCLE.BIN\S-1-5-21-289773050-473075134-3857204749-1000\$34abdb91f75e6e4d3541138e74b7a4fe (Trojan.Siredef.C) -> Delete on reboot.

Files Detected: 4

c:\$RECYCLE.BIN\S-1-5-18\$34abdb91f75e6e4d3541138e74b7a4fe\@ (Trojan.Siredef.C) -> Delete on reboot.

c:\$RECYCLE.BIN\S-1-5-21-289773050-473075134-3857204749-1000\$34abdb91f75e6e4d3541138e74b7a4fe\@ (Trojan.Siredef.C) -> Delete on reboot.

c:\Windows\assembly\GAC_32\Desktop.ini (Rootkit.0access) -> Delete on reboot.

c:\Windows\assembly\GAC_64\Desktop.ini (Rootkit.0access) -> Delete on reboot.

(end)

Share this post


Link to post
Share on other sites

Thanks, all.

Firefox - Sorry I didn't stop and do what you suggested.

Exile - I appreciate your support and encouragement to "do the right thing." I should have listened to you.

David - Re:horses at the trough. The rest goes like this: "You can lead a horse to water, but you cannot make her drink. However, if you lead her enough times, she can get mighty thirsty." Ron is a expert leader and I do whatever he suggests. Exile is a nice guy who commands my attention, but does not possess Ron's power of persuasion.

In a word all can benefit from Ron's leadership style. See any/all of his posts to learn Powers of Persuasion 101

Share this post


Link to post
Share on other sites

Kate:

I'm glad that issue was ultimately resolved.

USB Ethernet adapter's should include a CDROM with OS drivers such that the OS you are using can use the device as an Ethernet controller. You would then install those drivers subsequently connecting the Ethernet cable to that Belkin device. Then power cycle the Westell Modem+Router such that it will recognize a new device is connected to it.

Did the Belkin include a CDROM ?

Share this post


Link to post
Share on other sites

Just so that everyone is aware. Yes the computer was in fact infected.

I see you used Malwarebytes Anti-Rootkit, well done :)!

Thanks, all.

Firefox - Sorry I didn't stop and do what you suggested.

Exile - I appreciate your support and encouragement to "do the right thing." I should have listened to you.

David - Re:horses at the trough. The rest goes like this: "You can lead a horse to water, but you cannot make her drink. However, if you lead her enough times, she can get mighty thirsty." Ron is a expert leader and I do whatever he suggests. Exile is a nice guy who commands my attention, but does not possess Ron's power of persuasion.

In a word all can benefit from Ron's leadership style. See any/all of his posts to learn Powers of Persuasion 101

Hehe, yes, that's why Ron is Support. He's very good at getting users to do what needs to be done (and when I started hanging around on these forums prior to being hired, he was one of my most valued teachers about all this computer stuff and still is to this day ;)).

I'm glad you got it fixed up, and using our new tool to do it as well. It's a project we're quite proud of and expect big things from it in the future.

Share this post


Link to post
Share on other sites

Exile,

You're a prince. Congratulations on the job. I imagine working with Ron has to be a highlight of your career. He is not only veryyyy smart, he has a winning way about him, always willinvg to go the extra mile to help.

Kate

Share this post


Link to post
Share on other sites

David,

No CD just the product. I just tried to install, couldn't.

Kate

Share this post


Link to post
Share on other sites

Kate:

That's NOT good. I can't believe it didn't come with a disk with drivers. Without Win7/64 driver's the OS will not be able to work with it to do networking.

Is there a specific Belkin model number. It most likely will start with the letter 'F'. Maybe; F4U047-RS ?

Share this post


Link to post
Share on other sites

David,

I tried to find the model #. If there is one, it is in birdseed,on the back of the product, and I don't have a magnifying glass. But the model you listed looks a little like the birdseed that I really can't read.

I do have the product #: MAC 050B60CC796 SERIAL #012-00215802

Kate

Share this post


Link to post
Share on other sites

The computer has a broken winsock entry - until this gets fixed adding or changing any network drivers is not going to work well anyways.

I'm trying to locate an automated fix, otherwise I'll need to write a manual one for you so please stop trying to make other changes to the computer at this time until we get you cleaned up.

I'm sorry you were not able to do the project you were wanting to do but at this point there isn't much we can do except to get your computer cleaned up so that the next time you'll be able to use it.

Thanks Kate

Share this post


Link to post
Share on other sites

Ron,

Everyone has tried very hard to help me, and I appreciate it. I was just commiserating with you as to how my technical problem are going to affect my bankroll. Sorry, I'll stick to "just the facts, ma'am" from now on.

Kate

Share this post


Link to post
Share on other sites

Ron:

Doesn't make sense if she was networking, albeit intermittently, via the fixed Ethernet port. That is unless a Layered Service Provider was messed up in the removal of the ZeroAccess RK.

Kate:

The MAC address and the serial number won't help. Neither are "Model numbers".

For example on the below Belkin USB to Centronics (parallel) cable you can see it is a Belkin F5U002

post-14644-0-98683900-1362889485.jpg

I am going to take a stab that it is indeed the Belkin F4U047-RS. You can download the drivers below. Just run the utility.

Belkin F4U047-RS Windows Drivers

Share this post


Link to post
Share on other sites

It will network but not well as it has a bad entry that will probably require a deletion of the entire key and then installing a new fresh default one

Share this post


Link to post
Share on other sites

Thanks, all.

Firefox - Sorry I didn't stop and do what you suggested.

No worries from me, bottom line is its all getting fixed now, just took a little longer than expected...

I would agree that Ron is great at all he does..... As well as other helpers on this forum....

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.