Jump to content

Recommended Posts

The first symptom was that my computer (running XP Pro SP3) wouldn't recognize any .exe files. I couldn't boot up in safe mode, couldn't access set up, couldn't access the bios. It appeared to boot up normally (saw my desktop, icons, taskbar etc.), I just couldn't run anything. The only thing I could do was ctrl+alt+del and get to the Task Manager. I used this fix My link to get it to recognize an exe file, but had to access regedit through task manager and couldn't verify whether system restore was disabled or not. Doing this allowed me to run an older version of Anti-Malwarebytes that was already on my computer which revealed PUM.Disabled.SecurityCenter (log attached). I then went online and updated Anti-Malwarebytes and ran it, and it revealed Hijack.StartMenuInteret (log attached). I updated AVG and ran a full scan which revealed nothing. I've run Anti-Malwarebytes today and it revealed nothing.

Something is still messed up, as I cannot update windows security. When I go to Control Panel -> Automatic Updates, it is enabled, but when I go to Security Center it is turned off. When I try to turn it on I get an error msg saying that I should go to Automatic Updates and turn it on. I then went to microsoft.com and tried downloading from there. I get error msg # 0x80070424. I search the knowledge database and found a topic, associated with SP2.

I was able to verify from the information on that topic that I am missing both of these entries in my Registry Editor:

HKEY_LOCAL_MACHINE\CurrentControlSet\Services\wuauserv

HKEY_LOCAL_MACHINE\CurrentControlSet\Enum\Root\LEGACY_WUAUSERV

I confirmed from a friend running SP3 that her Registry has them. She also confirmed Automatic Updates are in her Services, but they are not in mine.

God (or someone who is not Tabula Rasa) only knows what else is wrong that I haven't discovered. What can I do?

Forgive me if I haven't included all that I should have, this is my first post.

PUM.Disabled.SecurityCenter Log.txt

Hijack.StartMenuInternet Log.txt

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

In the future, please post all logs directly into your reply instead of attaching them. With that said, please update MBAM, run a Quick Scan, and post its log.

Please download exeHelper from one of these two places:

http://www.raktor.net/exeHelper/exeHelper.com

http://www.raktor.net/exeHelper/exeHelper.scr

Save it to your Desktop and run it. When it finishes, restart your computer and see if you can run .exe files now.

Next, please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

  • 2 weeks later...

Apologies for the attachments - I thought it would be easier. I managed to "resolve" that problem a day or two after my post. I say "resolve" because problems with redirection on google whenever I tried to get to Microsoft Updates are happening again. Had the same problem with the .exe, but resolved that the same way with: Navigate to and select the key:

HKEY_CLASSES_ROOT\exefile\shell\open\command

In the right pane, double-click the (Default) value.

Delete the current value data, and then type:

"%1" %*

(I resolved the update issue the last time with: Start - Run type: regsvr32 wuaueng.dll (also from microsoft.com)).

This time I had to fix the registry again so I could launch exes. I am able to update Anti-Malware Bytes and run both quick and full scans which turn up nothing, but I am still being redirected when using google or other search engines. I downloaded and ran Microsoft's Safety Scan which found and partially removed: Trojan:DOS/Alureon.A

I tried searching for this on the forum but get zero results.

Below are the 3 Anti-Malware Byte logs that I ran that showed problems:

1. Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6579

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

5/18/2011 18:59:30

mbam-log-2011-05-18 (18-59-30).txt

Scan type: Quick scan

Objects scanned: 141017

Time elapsed: 5 minute(s), 10 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 1

Registry Keys Infected: 3

Registry Values Infected: 2

Registry Data Items Infected: 6

Folders Infected: 0

Files Infected: 16

Memory Processes Infected:

c:\documents and settings\adrienne\application data\a2f9eeae2ece92b1193957ee1ee6d9a4\sokdrt700.exe (Trojan.FakeAlert) -> 1992 -> Unloaded process successfully.

c:\documents and settings\networkservice\local settings\application data\tww.exe (Trojan.ExeShell.Gen) -> 2524 -> Unloaded process successfully.

Memory Modules Infected:

c:\WINDOWS\system32\6to4ex.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sokdrt700.exe (Trojan.FakeAlert) -> Value: sokdrt700.exe -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\tww.exe" -a "firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\tww.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\tww.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\adrienne\application data\a2f9eeae2ece92b1193957ee1ee6d9a4\sokdrt700.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\documents and settings\networkservice\local settings\application data\tww.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\adrienne\local settings\Temp\15E.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

c:\documents and settings\adrienne\local settings\Temp\smocexnwra.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\documents and settings\adrienne\local settings\Temp\pliiouru.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\adrienne\local settings\temporary internet files\Content.IE5\3UH3R6IC\lmzdd[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\documents and settings\adrienne\local settings\temporary internet files\Content.IE5\3UH3R6IC\uhhymdqu[1].htm (Rogue.Installer.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\adrienne\local settings\temporary internet files\Content.IE5\761PM9SZ\lyyyzdduh[1].htm (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\adrienne\local settings\temporary internet files\Content.IE5\N19IXSF5\wjwwnae[1].htm (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\adrienne\local settings\temporary internet files\Content.IE5\N19IXSF5\scctgxkbb[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\documents and settings\adrienne\local settings\temporary internet files\Content.IE5\N19IXSF5\bosgwxbeff[1].htm (Adware.Agent) -> Quarantined and deleted successfully.

c:\WINDOWS\mprimsi.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\documents and settings\adrienne\application data\Adobe\plugs\kb21209718.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\6to4ex.dll (Trojan.Agent) -> Delete on reboot.

c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\WINDOWS\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.

2. Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6612

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

5/18/2011 19:33:12

mbam-log-2011-05-18 (19-33-12).txt

Scan type: Quick scan

Objects scanned: 141642

Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\6to4ex.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\browselcw.dll (Trojan.Agent.GGEP) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\6to4ex.dll (Trojan.Agent) -> Delete on reboot.

3. Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6627

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

5/20/2011 10:30:23

mbam-log-2011-05-20 (10-30-23).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|)

Objects scanned: 175013

Time elapsed: 17 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\Temp\fvgp\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Hi and welcome to Malwarebytes.

In the future, please post all logs directly into your reply instead of attaching them. With that said, please update MBAM, run a Quick Scan, and post its log.

Please download exeHelper from one of these two places:

http://www.raktor.net/exeHelper/exeHelper.com

http://www.raktor.net/exeHelper/exeHelper.scr

Save it to your Desktop and run it. When it finishes, restart your computer and see if you can run .exe files now.

Next, please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

The subsequent 4 scans I have run turn up nothing.

Link to post
Share on other sites

  • Staff

Hi,

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.