Internet Disabled in- Trojan Infectio

Dell / 'xps a2010'
July 29, 2009 at 18:09:36
Specs: Microsoft Windows Vista Home Premium, 2.194 GHz / 2021 MB
My sysyem has been infected with several Trojans and associated malware. Norton 360 ineffective, Webroot Sypsweeper identifies but cannot remove. My wireless cable connection has been knocked out and internet is availible only in safemode with networking. Can someone help?

Here is my system info:

Manufacturer: Dell inc.
Model: 'xps a2010'
OS: Microsoft Windows Vista Home Premium
CPU/Ram: 2.194 GHz / 2021 MB
Video Card: Intel(R) G33/G31 Express Chipset Family
Sound Card: Realtek High Definition Audio

I have run Malwarebytes and HijackThis, here are the log files for Malwarebytes.

Malwarebytes' Anti-Malware 1.39
Database version: 2525
Windows 6.0.6002 Service Pack 2

7/29/2009 8:59:23 PM
mbam-log-2009-07-29 (20-59-23).txt

Scan type: Quick Scan
Objects scanned: 103565
Time elapsed: 3 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Users\maknapper\AppData\Local\Temp\uaa7CC.tmp (Worm.Parite) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\maknapper\AppData\Local\Temp\uaa7CC.tmp (Worm.Parite) -> Delete on reboot.
c:\Users\maknapper\AppData\Local\Temp\qaa6A4.tmp (Worm.Parite) -> Quarantined and deleted successfully.
c:\Windows\Temp\awaE204.tmp (Worm.Parite) -> Quarantined and deleted successfully.
c:\Windows\Temp\lsaB46F.tmp (Worm.Parite) -> Quarantined and deleted successfully.
c:\Windows\Temp\yraABF7.tmp (Worm.Parite) -> Quarantined and deleted successfully.

System is infected dispite this.
I hope some can help- Thanks in advance!


See More: Internet Disabled in- Trojan Infectio

Report •


#1
July 29, 2009 at 18:23:51
Download and run Kaspersky AVP tool in safe mode: http://devbuilds.kaspersky-labs.com...
Once you download and start the tool in safe mode:
# Check below options:

    * Select all the objects/places to be scanned. 
    * Security Level setting to High.

# Click Scan
# Fix what it detects
# Zip/Rar Scan log/Summary and upload it to rapidshare.com. Post download link in your next message.

Illustrated tutorial: http://img32.imageshack.us/img32/76...

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#2
July 29, 2009 at 18:28:59
I have it. Setting up now, will relply shorty.

Thank you!


Report •

#3
July 29, 2009 at 20:51:21
The scan is progressing, however ETA for completion is 41/2 hours, will post log via RS link as avised then.

27% and 925+ infected files found so far! 2 trojans and win.32.Parite virus. This is UGLY.


Report •

Related Solutions

#4
July 30, 2009 at 05:12:04
Here is the requested log. Note: I had to restart the scan 28% through, as I checked the setting and found I hadn't set it to deep search for rootkits. Hope that was OK.

http://rapidshare.com/files/2617395...

Awaiting reply. Thanks.


Report •

#5
July 30, 2009 at 06:41:56
I suggest you burn Kapersky or Dr. Web's live boot CD on a clean computer and run a scan from it. This virus copies it self to every binary file. However you might be able to fully cure it via boot disc.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#6
July 30, 2009 at 07:55:03
Dr. Web? Please elaborate. This sounds as bad as I thought.

Report •

#7
July 30, 2009 at 08:13:34
http://www.freedrweb.com/livecd or ftp://ftp.kaspersky.com/devbuilds/RescueDisk/kav_rescue_2008.iso

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#8
July 30, 2009 at 08:17:56
Check my last. On the Dr. Web site now, however will take some time to set-up. From the tone of your last it sounds as though it is heading towards a complete re-install of the OS. Is this the likely outcome from what you observed in the log?

Report •

#9
July 30, 2009 at 08:22:51
Its not as bad as virut it can be recovered. You can read about it more at http://www.pc1news.com/virus/virus-...

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#10
July 30, 2009 at 08:44:30
Right then, I'll have a go at it. Thanks in advance for your help. I'll post reply when I have completed the scan. Will post logs as well.

Report •

#11
July 30, 2009 at 17:30:31
OK jd,
I could not get the Dr. Web CD to boot completely. After a few attempts, I gave up and DL'ed Kaspersky, burned that CD and it is now running.

However, something changed after attempting the boot with Dr. Web. I've now completely lost my internet connection and when I tried to repair the Links Systems Router program I got an error "object instance not found". I tried using the install CD and got "product not supported by OS".

I hope the damage can be amaloriated with Kaspersky. Will update when scan is finished.

Thanks.


Report •

#12
July 30, 2009 at 17:38:08
You burned kaspersky on clean system correct?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#13
July 30, 2009 at 18:02:22
Yes!
I used a laptop and burned with ImageBurn.

Report •

#14
July 31, 2009 at 04:57:41
Scsn is 99% complete, but I have a question. I have an alert message that says it has detected Trojan PSW.Win32.Agent.mcx which cannot be disinfected and gives the option of deleting or skipping[recommended]. Should follow the recomended skip or delete now? Also, have a message asking to update the program because the database is out of date but that wasn't possible with my internet connection down. Awaiting advice.

Report •

#15
July 31, 2009 at 05:14:23
Which file is it? Take down names of files you delete. Only use delete/disinfect don't use skip.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#16
July 31, 2009 at 05:27:38
0.rar//AvsVideoConverter 6.2.3.320 AVS VideoConverter.exe

I'll provide the list next reply.


Report •

#17
July 31, 2009 at 05:36:41
Scan seems to be complete. Should I try to generate the report now?

Report •

#18
July 31, 2009 at 10:18:06
Don't want to hijack thread but would love to jump in and get some help myself. I am having the exact same problems as Pheonixx. I am reading each reply now and following the same steps you suggest will post logs when I get to that point if it is ok to join on this thread

Report •

#19
July 31, 2009 at 10:41:13
Pheonixx Yes post the scan log. Also now rerun scan to be sure it got all the files.

Rollencode Should start your own post.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#20
July 31, 2009 at 10:55:30
Ok, NP will do. Good luck Pheonixx

Report •

#21
July 31, 2009 at 15:33:27
Sorry, fell asleep! : )

Oddly, I could not save the report, but I copied it verbatim and uploaded it.

http://rapidshare.com/files/2622996...

Before I restart the scan, I need to know if I should reboot? Or am I good to go with just restarting?


Report •

#22
July 31, 2009 at 15:43:31
What is you E drive? For the second scan follow: Response Number 1 don't use the boot cd.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#23
July 31, 2009 at 16:07:07
Not really sure. Under settings I had the program check all drives, even though E drive is the optical drive the CD was in. The program or file deleted resides in C://Downloads folder.

Odd.

OK. Kaspersky in safe mode. Thanks


Report •

#24
July 31, 2009 at 16:26:37
Now in addition to internet being knocked out, have the message "Windows Help and Support failed to start" with a link back to Microsoft.

Seems like the OS is losing fuctionality everytime I boot into safe-mode!


Report •

#25
July 31, 2009 at 16:27:34
Do you have your windows installation disc?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#26
July 31, 2009 at 17:37:51
Yes I do.

Report •

#27
July 31, 2009 at 17:48:05
ok Finish the scan and post scan results.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#28
August 1, 2009 at 00:07:35
Hi jd,

Here's the link for the last scan. Nothing was detected.

http://rapidshare.com/files/2624129...

Still no internet, had to port the log via flash drive and upload on a laptop. This time when the system rebooted to normal run mode it took five minutes to go from the Welcome screen to the desktop and just before the desktop came up my screen went solid purple for a minute.

Also got the message "Intel service failed to start. Windows has closed the program. MS Windows will notify you when a solution has been found."

Looks as though it's getting worse. Have my root directory files been damaged?


Report •

#29
August 1, 2009 at 05:52:41
Read: http://www.updatexp.com/scannow-sfc... then go to normal mode START > RUN > Type: sfc /scannow reboot and see if your system is any better if now we will have to boot from CD and repair the installation.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#30
August 1, 2009 at 06:17:02
The instructions on this site are for XP, will this command work on Vista Home Premium?

Report •

#31
August 1, 2009 at 06:47:34
Yes it should be similar if you get stuck let me know.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#32
August 1, 2009 at 07:27:38
Not what I was expecting having read the article. The scan didn't run. Got the following instead- these are the last 6 lines in the command prompt:

For offline repairs specify location of the offline boot directory
For offline repairs specify location of the offline WINDOWS directory
sfc/scannow
sfc/VERIFYFILE=c:\windows\system32\kernal132.dll
sfc/SCANFILE=.d\windows\system32\kernal132.dll/OFFBOOTDIR=d:\ /OFFWINDOWS R=d:\windows
sfc/VERIFYONLY

Second to last line may not be complete as I can't view the whole command prompt window. I'm stuck.


Report •

#33
August 1, 2009 at 07:32:03
Its wrong command? Its suppsoe to be sfc<space>/scannow .I have no clue what you type.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#34
August 1, 2009 at 07:38:44
Ah! working now, will advise when done.

Report •

#35
August 1, 2009 at 08:13:00
OK, did the scan and rebooted, but the system is still in the same state. I retrieved the scan log for inclusion here:

http://rapidshare.com/files/2625384...

When scan was complete I rebooted, but as it was shutting down the blue screen popped up with the "To protect your computer from harm Windows is shutting down" blah, blah, blah.

On restart I had the lengthy Wecome screen, followed by the all purple screen, followed by the message: "Windows has recovered from an unexpected shutdow....." Last time I saw that, there had been a power failure.

What's next?


Report •

#36
August 1, 2009 at 08:40:32
Seems like virus did corrupt your files. I suggest you either reinstall or repair your installation from boot disc. You can also try to ccleaner registry cleaner. But corrupted system files were replaced by the last command.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#37
August 1, 2009 at 08:58:21
Afraid it would come to that. I'll try a repair from boot disc, then reinstall if that fails. Any suggestions on the boot repair procedure?

And thanks again for taking the time to this, you've been a godsend with all your help!


Report •

#38
August 1, 2009 at 11:06:16
Run full scan we with: http://onecare.live.com/site/en-Us/... first before we resort to restore.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#39
August 1, 2009 at 12:01:20
Only problem there is my internet is still dead in normal start-up as well as safe mode. Network Diagnostics are out as well. Tried restting the Group Policy DHI to get Diagnostics going but all I get is an error 5 message. Help and support is diabled as well.

Report •

#40
Report •

#41
August 2, 2009 at 03:24:08
No joy. Startup Repair detected no problems. Can't use system restore because it isn't enabled. Which means sometheing recently changed because I know I had it enabled. So there are no usable restore points.

Please let me know if any other ideas occur to you before I completely reinstall the OS.


Report •

#42
August 2, 2009 at 07:06:46
Note: I can help you remove malware manually. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. First Track this topic. Then follow:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode and make sure you are connected to internet. If avz.exe doesn't start, then try to rename the file avz.exe to game.pif and try to run it again. Pause/Stop your antivirus, firewall software (if any), close games, text editors and all other programs; leave Internet Explorer/Firefox running, before following the steps below.

i) To create the log file, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility.

--> Please navigate to "File" => "Custom Scripts". Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteAVUpdate;
end.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script.

--> Choose from the menu "File" => "Standard scripts" and mark the "Healing/Quarantine and Advanced System Analysis" check box. Click on the "Execute selected scripts" button.
Automatic scanning, healing and system check will be executed. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip. Upload virusinfo_syscure.zip to rapidshare.com and paste the link here.
* It is necessary now to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan. All applications will work properly after the system restart.

Image Tutorial

2) Download and Run DDS which will create a Pseudo HJT Report as part of its log: DDS Tool Download Link. When done, DDS will open two (2) logs

   1. DDS.txt
   2. Attach.txt

Upload the logs to rapidshare.com and paste download link in your next reply.
Note: Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.

In your next reply, please include download links to the following:
[*] virusinfo_syscure.zip
[*] DDS Logs


Report •

#43
August 2, 2009 at 07:15:33
Sorry, AVZ?

Report •

#44
August 2, 2009 at 07:18:27
Follow Response Number 42.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#45
August 2, 2009 at 08:30:21
No good. AVZ causes a blue screen shut down about two seconds into running the Healing/Quarantine and Advanced System Analysis scrip.

Also, I did run the update script despite not having any internet connection. That script ran OK. In case it was a fluke, I ran the program twice with the same result, so no log to post.


Report •

#46
August 2, 2009 at 08:44:11
What was BSOD stop code error? Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

begin
ExecuteRepair(5);
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(9);
ExecuteRepair(14);
ExecuteRepair(15);
ExecuteRepair(16);
RebootWindows(true);
end.

2) Try to remake above logs.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#47
August 2, 2009 at 09:17:11
Assume the scripts in last post were to be run in custom scripts. I get error message "Error:'=' expected at 3:1"

I don't know what error code was thrown on the BSOD. Tried to open the Event Viewer to see what the error/eception was but the service is toast like the others.


Report •

#48
August 2, 2009 at 09:35:09
Check that! Got the first of the above scripts going. Will advise when finished.

Report •

#49
August 2, 2009 at 09:48:58
Response Number 46 part 1 should work make sure you are copying the script correctly.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#50
August 2, 2009 at 10:42:28
OK ran all the scripts. There has been improvment. System boots now with no lag-time, almost normal. Showing limited internet connection in normal mode so it might be restored in safe mode. [edit] No internet in safe mode still.
Down side is UAC has been reactivated for the first time since I got the machine. Won't let me deactivate it again though.

Report •

#51
August 2, 2009 at 10:57:08
Download ccleaner (http://www.ccleaner.com/download/builds/downloading-slim) Run temp and registry cleaner with it Then redo Response Number 42 and post new set of logs.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#52
Report •

#53
August 2, 2009 at 12:35:54
Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 QuarantineFile('/C.exe','');
 QuarantineFile('c:\windows\system32\drivers\rxfjemmtwfrvrxjn.sys','');
 QuarantineFile('c:\windows\system32\drivers\bpirlsecfieyvxxb.sys','');
 DeleteFile('/C.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

2) Install, update database and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, fix anything detected.

3) Run full Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#54
August 2, 2009 at 13:03:15
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('/C.exe','');
DeleteFile('/C.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

Is this all one step or a series of step like before?


Report •

#55
August 2, 2009 at 13:27:49
Response Number 53 changed. Begin to end. is all part of single script (one step).

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#56
August 2, 2009 at 16:23:15
OK, Malwarebytes would not complete in full scan, it got hung up twice when it reached this file d:\windows\system32\config\DEFAULT.LOG1
I had to use Task Manager to shut down the program each time after it had scanned 214958 objects which would have been relatively near the end of the scan. I ran the quick scann instead and include that log with the SuperAntimalware scan log,

http://rapidshare.com/files/2630336...


Report •

#57
August 2, 2009 at 16:30:28
Do you have any antivirus installed? if you don't install free avira. How is your system running now?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#58
August 2, 2009 at 16:50:05
I have both Webroot and Norton 360. The latter I am hesitant to reinstall as I have used two versions of Symantec and have no confidence in their products. The system is still far from stable, many background services remain inaccessable and internet is still out.

Report •

#59
August 2, 2009 at 17:06:26
Run sfc /scannow again If that doesn't bring back system to workable/fixable i suggest you go ahead with your format.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#60
August 2, 2009 at 17:51:14
Thinking your last assessment is correct JD, here is the CBS log.

http://rapidshare.com/files/2630577...


Report •

#61
August 2, 2009 at 18:45:04
Any better internet working?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#62
August 3, 2009 at 02:25:38
Hi JD, sorry for the delay. No there's been no improvement. I ran a diagnostic on the Network Coneections and this generated a remote access http report. Far from any kind of expert, but from what I could see most of the services that are necessary for the operating system to make a connection are disabled and or inaccessable. I think there has been too much damage. While startup is ok and most programs are working everything connected to Internet is down. I don't know what other options I have.

Report •

#63
August 3, 2009 at 12:00:25
JD,
Thank you for your time patience and help. I sucessfully reformatted and installed my OS. Minor problem with my Broadcom Network Adapter, but alls well. Thanks to you I was able to salvage most of my important files and even some of my programs, owe you a beer!

Really glad I found this forum, thanks for being here!


Report •

#64
August 3, 2009 at 12:46:55
No problem glad to be helpful.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •


Ask Question