TabulaRasa Posted May 7, 2011 ID:425891 Share Posted May 7, 2011 The first symptom was that my computer (running XP Pro SP3) wouldn't recognize any .exe files. I couldn't boot up in safe mode, couldn't access set up, couldn't access the bios. It appeared to boot up normally (saw my desktop, icons, taskbar etc.), I just couldn't run anything. The only thing I could do was ctrl+alt+del and get to the Task Manager. I used this fix My link to get it to recognize an exe file, but had to access regedit through task manager and couldn't verify whether system restore was disabled or not. Doing this allowed me to run an older version of Anti-Malwarebytes that was already on my computer which revealed PUM.Disabled.SecurityCenter (log attached). I then went online and updated Anti-Malwarebytes and ran it, and it revealed Hijack.StartMenuInteret (log attached). I updated AVG and ran a full scan which revealed nothing. I've run Anti-Malwarebytes today and it revealed nothing.Something is still messed up, as I cannot update windows security. When I go to Control Panel -> Automatic Updates, it is enabled, but when I go to Security Center it is turned off. When I try to turn it on I get an error msg saying that I should go to Automatic Updates and turn it on. I then went to microsoft.com and tried downloading from there. I get error msg # 0x80070424. I search the knowledge database and found a topic, associated with SP2.I was able to verify from the information on that topic that I am missing both of these entries in my Registry Editor:HKEY_LOCAL_MACHINE\CurrentControlSet\Services\wuauservHKEY_LOCAL_MACHINE\CurrentControlSet\Enum\Root\LEGACY_WUAUSERVI confirmed from a friend running SP3 that her Registry has them. She also confirmed Automatic Updates are in her Services, but they are not in mine. God (or someone who is not Tabula Rasa) only knows what else is wrong that I haven't discovered. What can I do?Forgive me if I haven't included all that I should have, this is my first post.PUM.Disabled.SecurityCenter Log.txtHijack.StartMenuInternet Log.txt Link to post Share on other sites More sharing options...
Staff screen317 Posted May 11, 2011 Staff ID:427722 Share Posted May 11, 2011 Hi and welcome to Malwarebytes.In the future, please post all logs directly into your reply instead of attaching them. With that said, please update MBAM, run a Quick Scan, and post its log.Please download exeHelper from one of these two places:http://www.raktor.net/exeHelper/exeHelper.comhttp://www.raktor.net/exeHelper/exeHelper.scrSave it to your Desktop and run it. When it finishes, restart your computer and see if you can run .exe files now.Next, please update MBAM, run a Quick Scan, and post its log.Next, download DDS by sUBs and save it to your Desktop.Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply. Link to post Share on other sites More sharing options...
TabulaRasa Posted May 21, 2011 Author ID:432099 Share Posted May 21, 2011 Apologies for the attachments - I thought it would be easier. I managed to "resolve" that problem a day or two after my post. I say "resolve" because problems with redirection on google whenever I tried to get to Microsoft Updates are happening again. Had the same problem with the .exe, but resolved that the same way with: Navigate to and select the key: HKEY_CLASSES_ROOT\exefile\shell\open\commandIn the right pane, double-click the (Default) value.Delete the current value data, and then type: "%1" %* (I resolved the update issue the last time with: Start - Run type: regsvr32 wuaueng.dll (also from microsoft.com)).This time I had to fix the registry again so I could launch exes. I am able to update Anti-Malware Bytes and run both quick and full scans which turn up nothing, but I am still being redirected when using google or other search engines. I downloaded and ran Microsoft's Safety Scan which found and partially removed: Trojan:DOS/Alureon.AI tried searching for this on the forum but get zero results.Below are the 3 Anti-Malware Byte logs that I ran that showed problems:1. Malwarebytes' Anti-Malware 1.50.1.1100www.malwarebytes.orgDatabase version: 6579Windows 5.1.2600 Service Pack 3Internet Explorer 7.0.5730.135/18/2011 18:59:30mbam-log-2011-05-18 (18-59-30).txtScan type: Quick scanObjects scanned: 141017Time elapsed: 5 minute(s), 10 second(s)Memory Processes Infected: 2Memory Modules Infected: 1Registry Keys Infected: 3Registry Values Infected: 2Registry Data Items Infected: 6Folders Infected: 0Files Infected: 16Memory Processes Infected:c:\documents and settings\adrienne\application data\a2f9eeae2ece92b1193957ee1ee6d9a4\sokdrt700.exe (Trojan.FakeAlert) -> 1992 -> Unloaded process successfully.c:\documents and settings\networkservice\local settings\application data\tww.exe (Trojan.ExeShell.Gen) -> 2524 -> Unloaded process successfully.Memory Modules Infected:c:\WINDOWS\system32\6to4ex.dll (Trojan.Agent) -> Delete on reboot.Registry Keys Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sokdrt700.exe (Trojan.FakeAlert) -> Value: sokdrt700.exe -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\tww.exe" -a "firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\tww.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\tww.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:c:\documents and settings\adrienne\application data\a2f9eeae2ece92b1193957ee1ee6d9a4\sokdrt700.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.c:\documents and settings\networkservice\local settings\application data\tww.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.c:\documents and settings\adrienne\local settings\Temp\15E.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.c:\documents and settings\adrienne\local settings\Temp\smocexnwra.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.c:\documents and settings\adrienne\local settings\Temp\pliiouru.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.c:\documents and settings\adrienne\local settings\temporary internet files\Content.IE5\3UH3R6IC\lmzdd[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.c:\documents and settings\adrienne\local settings\temporary internet files\Content.IE5\3UH3R6IC\uhhymdqu[1].htm (Rogue.Installer.Gen) -> Quarantined and deleted successfully.c:\documents and settings\adrienne\local settings\temporary internet files\Content.IE5\761PM9SZ\lyyyzdduh[1].htm (Malware.Packer.Gen) -> Quarantined and deleted successfully.c:\documents and settings\adrienne\local settings\temporary internet files\Content.IE5\N19IXSF5\wjwwnae[1].htm (Trojan.Agent.Gen) -> Quarantined and deleted successfully.c:\documents and settings\adrienne\local settings\temporary internet files\Content.IE5\N19IXSF5\scctgxkbb[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.c:\documents and settings\adrienne\local settings\temporary internet files\Content.IE5\N19IXSF5\bosgwxbeff[1].htm (Adware.Agent) -> Quarantined and deleted successfully.c:\WINDOWS\mprimsi.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.c:\documents and settings\adrienne\application data\Adobe\plugs\kb21209718.exe (Trojan.Agent) -> Quarantined and deleted successfully.c:\WINDOWS\system32\6to4ex.dll (Trojan.Agent) -> Delete on reboot.c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.c:\WINDOWS\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.2. Malwarebytes' Anti-Malware 1.50.1.1100www.malwarebytes.orgDatabase version: 6612Windows 5.1.2600 Service Pack 3Internet Explorer 7.0.5730.135/18/2011 19:33:12mbam-log-2011-05-18 (19-33-12).txtScan type: Quick scanObjects scanned: 141642Time elapsed: 4 minute(s), 30 second(s)Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:c:\WINDOWS\system32\6to4ex.dll (Trojan.Agent) -> Delete on reboot.Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\WINDOWS\system32\browselcw.dll (Trojan.Agent.GGEP) -> Quarantined and deleted successfully.c:\WINDOWS\system32\6to4ex.dll (Trojan.Agent) -> Delete on reboot.3. Malwarebytes' Anti-Malware 1.50.1.1100www.malwarebytes.orgDatabase version: 6627Windows 5.1.2600 Service Pack 3Internet Explorer 7.0.5730.135/20/2011 10:30:23mbam-log-2011-05-20 (10-30-23).txtScan type: Full scan (A:\|C:\|D:\|E:\|)Objects scanned: 175013Time elapsed: 17 minute(s), 6 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Downloader) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\WINDOWS\Temp\fvgp\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.Hi and welcome to Malwarebytes.In the future, please post all logs directly into your reply instead of attaching them. With that said, please update MBAM, run a Quick Scan, and post its log.Please download exeHelper from one of these two places:http://www.raktor.net/exeHelper/exeHelper.comhttp://www.raktor.net/exeHelper/exeHelper.scrSave it to your Desktop and run it. When it finishes, restart your computer and see if you can run .exe files now.Next, please update MBAM, run a Quick Scan, and post its log.Next, download DDS by sUBs and save it to your Desktop.Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.The subsequent 4 scans I have run turn up nothing. Link to post Share on other sites More sharing options...
TabulaRasa Posted May 21, 2011 Author ID:432112 Share Posted May 21, 2011 Ran Kaspersky TDSS killer and it found and cured: Rootkit.Win32.TDSS.td14Redirect no longer appears to be happening. Link to post Share on other sites More sharing options...
Staff screen317 Posted May 25, 2011 Staff ID:433151 Share Posted May 25, 2011 Hi,Please update MBAM, run a Quick Scan, and post its log.Next, please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.-screen317 Link to post Share on other sites More sharing options...
Staff screen317 Posted June 6, 2011 Staff ID:437536 Share Posted June 6, 2011 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts