Infected Computer...looking for assistance

[Vaughn]

Hello,

 

Quick background about 1 month ago, I noticed my computer running slower, and slower.  I have an older computer, so didn't think much of it until I noticed that all of my memory appeared to be gone overnight.  I always had plenty of memory before, but after deleting old/unused programs, it became better for about a week, but then my memory went to less than 1% again.  This caused by Norton 360 Anti-virus to not update, becuase of lack of memory. My Norton 360 never really finds any virus's , and appears fine, except that the virus definintions are now out-of-date.

 

After researching a little bit, I downloaded Malwarebytes. I would run the scan, and it would find hits, I would quarentine, and then delete.  Mainly it would find Hijack.SHELL.32.  This kept occuring, and my computer was not getting any better.  I will copy/paste the log to the bottom. 

 

Yesterday, I downloaded Rougekiller, and it found something in the pre-scan.  So then I did the full scan, and it found 2 items within the first 30 minutes, but it still didn't finish.  I let it run for about 2 more hours, but it wouldn't move on to the next task.  I then let it run overnight, and when I awoke, it was in the same spot as the night before.  I manually quit this, and did more research. 

 

I then downloaded Rkill, and will attach the log.

 

Malware Bytes

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.08.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Everybody :: RANDY [administrator]

1/8/2014 8:03:56 PM
mbam-log-2014-01-08 (20-03-56).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 240721
Time elapsed: 19 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCR\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32| (Hijack.SHELL32) -> Bad: (\\?\globalroot\Device\HarddiskVolume2\DOCUME~1\EVERYB~1\LOCALS~1\Temp\sfgnwho\ssittlx\wow.dll) Good: (SHELL32.dll) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

RKill

Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/08/2014 09:20:02 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\WINDOWS\stsystra.exe (PID: 2472) [WD-HEUR]
 * C:\WINDOWS\System32\DLA\DLACTRLW.EXE (PID: 2584) [WD-HEUR]

2 proccesses terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Firewall Disabled

   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1 localhost

Program finished at: 01/08/2014 09:21:48 PM
Execution time: 0 hours(s), 1 minute(s), and 46 seconds(s)

 

 

 

 

[Maniac]

Hello Vaughn and ! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
• Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

One or more of the identified infections is related to a nasty rootkit component which is difficult to remove. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums from a CLEAN COMPUTER. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, delete the partition, reformat and reinstall the Operating System.

Please read:

• When should I re-format? How should I reinstall?
• Help: I Got Hacked. Now What Do I Do?
• Where to draw the line? When to recommend a format and reinstall?

Should you decide not to follow this advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, disinfection will require more time and more advanced tools.

Please let us know how you would like to proceed.

[Vaughn]

Hi Borislav,

 

After reading the three articles that you provided, I am convinced that I need to wipe the drive clean, delete the partition, reformat and reinstall the Operating System.  I have a Dell Computer, and a Windows XP Operating system with Microsoft Office, is there an step-by-step article on how to accomplish this? I am unsure if I have any start-up discs for any of them or if any of them came with discs.

 

Also, I have an external hard drive (I recently unplugged it), what is the chance that drive is also impacted by the virus/rootkit/etc?  I would like to plug it into a friend's computer to ensure that we don't lose any of our family photos, but don't want to compromise their computer.

 

Thanks for your assistance,

Vaughn

[Maniac]

Everything you need is here:

http://windows.microsoft.com/en-us/windows-xp/help/setup/install-windows-xp

Use this tool to immunize your external hard drive:

http://www.pandasecurity.com/italy/homeusers/downloads/usbvaccine/

Some future malware preventions:

users.telenet.be/bluepatchy/miekiemoes/prevention.html

[Vaughn]

Thanks for the instruction on how to install Windows XP operating system.

 

 

I am sorry to ask a elementary question, but how do I need to wipe the drive clean, delete the partition, and reformat?

[Maniac]

In my first answer here, I already send you a instructions about that:

http://www.dslreports.com/faq/10063

[Vaughn]

I am trying to open my files on my external hard drive to ensure that they are on there and accessible.

 

It is a Western Digital 2.0. I can see the files, and they all appear to have the proper size. When I try to open the files, they are all in an unreconizable format. I had a virus on my older Dell computer with Windows XP, and now I am trying to open it with a new Dell with Windows 7.  Any suggestions?

[Maniac]

What kind of files you have?

[Vaughn]

I fixed my external drive back-up issue.

 

My new issue is trying to wipe my hard drive clean, and start over. I don't have the Dell C521 Disk.

 

I have tried to do a system restore by using the tool that is under the Accessories function on My XP device, but it won't let me pick a date beyond yesterday.

 

I tried hitting ctrl F11 when the machine is powering up, but it keeps bringing me to the boot menu/set-up spot.  I looked in each of the places to wipe it clean and start fresh, but can't find it.

 

I also googled a bunch of things, but keep running into the same two answers from above, and can't get it.

 

Any suggestions?

[Maniac]

I tried hitting ctrl F11 when the machine is powering up, but it keeps bringing me to the boot menu/set-up spot. I looked in each of the places to wipe it clean and start fresh, but can't find it.

You need a disc for this purpose.

If you don't have any, another option is a USB flash drive with Windows OS. If you don't have any... no way to start over.

[AdvancedSetup]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.