Jump to content

Malware infection - need help please


Quizzical

Recommended Posts

  • Replies 80
  • Created
  • Last Reply

Top Posters In This Topic

I've now heard back from microsoft and have manually downloaded and installed SP3. There was a problem during the installation with a file called dumprep.exe but I don't know what that might mean. I can't delete, rename, move or open it - which is a similar symptom to what I had before when I couldn't access spybotsd and similar.

Still can't access windows update site so waiting to hear if they suggest anything else.

MBAM found two more worm.agents yesterday in System Volume Information. Successfully quarantined.

???

Link to post
Share on other sites

I normally use Firefox but when I attempted to access the site (update.microsoft.com/windowsupdate) I got a message saying that I must be running IE5 or later, so since then I've tried using IE5.

Whichever way, I still can't get access.

I hadn't heard of IETAB, but have added it to Firefox to try. But the same thing happens - gets to the site, says it's checking my computer, then diverts to error page.

Link to post
Share on other sites

Chris, I want to ask you please to not close this thread. I have to be away from 23rd October until 1st November so will not be able to post again until then.

MS have so far been unable to resolve things. The initial contact offered 3 suggestions to restore access to Windows update but none of them worked and I have now heard nothing further for the last 3 days so I have no idea what's going on. I'm still really confused as to what nasties are lingering on my PC that still seem to be causing residual problems. At least Avira and MBAM haven't reported any gremlins lately.

I'll update you again on the 1st; thanks for your help and patience so far.

BTW, I've upgraded to IE8 but still the same problem with Windows update access.

Link to post
Share on other sites

  • Staff

Hi,

Sure I'll leave the topic open for you.

This isn't an issue of malware still on your system. This is a residual issue as a result of damage caused by the malware (cleaning malware doesn't guarantee that all of the damage can be repaired, especially in today's world). Keep trying with Microsoft; see if they'll offer any other suggestions.

-screen317

Link to post
Share on other sites

  • 2 weeks later...

Hello again,

Not getting much resolved so far with microsoft. Every few days or so I'll hear something, and I'm quite puzzled/confused about what's going on. I did successfully install SP3 but still couldn't access windows update. Then I was told that the registry value CSDVersion in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows should be "0". So I changed it from 300 to 0, after which Windows reported that it wasn't up to date and needed SP2. Now I've been asked to reinstall SP2 and that's where I currently am up to.

Seems to me that there's a problem with "dumprep.exe" because this has cropped up whilst installing both SP3 and SP2 - the setup wizard couldn't copy the file, and I had to continue the wetup without the file being copied. I can't manually either rename, open, copy or delete the file. This is a similar problem I had a while back when the malware had effectively disabled some files and programs. Do you know - if I can find a way to delete it, is this a file that Windows will automatically recreate?

One further question - One of the tools you used with me (Avenger) is not completely gone from my computer. There is an Avenger folder, and also a subfolder which it appears is empty but when I try to delete it Windows says the folder is not empty and won't delete it. Any suggestions?

I take your point that my current issue is not really a malware problem but residual after-effects - so if you think it's time to close this topic down then that's fine. Many, many thanks again for all your help.

Link to post
Share on other sites

  • Staff

Hi,

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    dumprep.exe


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

OK, done that, and here's the logfile....

SystemLook v1.0 by jpshortstuff (29.08.09)

Log created at 09:51 on 08/11/2009 by Compaq_Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "dumprep.exe"

C:\WINDOWS\SDOLD\Download\cf8ec753e88561d2ddb53e183dc05c3e\dumprep.exe --a--- 10752 bytes [17:42 03/09/2008] [00:12 14/04/2008] 8E16BF5600797E678EA97051CF93E6BF

C:\WINDOWS\ServicePackFiles\i386\dumprep.exe ------ 10752 bytes [10:44 17/10/2009] [04:42 14/04/2008] 8E16BF5600797E678EA97051CF93E6BF

C:\WINDOWS\system32\dumprep.exe --a--- 10752 bytes [12:00 04/08/2004] [00:56 04/08/2004] (Unable to calculate MD5)

-=End Of File=-

Link to post
Share on other sites

  • Staff

Hi,

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

FCOPY::

C:\WINDOWS\ServicePackFiles\i386\dumprep.exe | C:\WINDOWS\system32\dumprep.exe

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

-screen317

Link to post
Share on other sites

Hi,

Thanks again. I tried to download and use ComboFix again but the link to it from BleepingComputer didn't work. I've come now to try again a few hours later and seen a message that CF has been taken offline for a while.

Anyway, in the meantime I've been transferred to a different support guy at microsoft and things seem to be moving. He's sent me a clean copy of dumprep.exe. At first the existing copy wouldn't allow itself to be replaced but then when I tried again it worked - no idea why.

So i now have a hassle-free installation of SP3, and Windows Update appears to be working fine. The only problem left (if it is a problem) is that every time I reboot Windows Update wants me to download and install its malicious software removal tool. My undertsanding is that this should be a once-a-month job, so it may be that there is still something not quite right.

The other question I have from a couple of posts ago is how to get rid of the residual Avenger folder(s) still on my system.

Although I didn't run CF, here's a new log from HJT ....

Bye for now

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:32:28, on 11/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\CDBurnerXP\NMSAccess.exe

C:\Program Files\Kerio\Personal Firewall\persfw.exe

C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\ps2.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AIM6\aim6.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\COMPAQ_OWNER\Application Data\Mozilla\Profiles\default\qy4mtwbp.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_UK.src"); (C:\Documents and Settings\COMPAQ_OWNER\Application Data\Mozilla\Profiles\default\qy4mtwbp.slt\prefs.js)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/Dcode/ActiveX/MSDcode.cab

O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab

O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -

O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {FE8FE5F0-E1EE-4ACD-81E0-2A6CFECB8431} (ePenClientSpec.ucEPenClientspec) - http://downloads.exam2score.com/ePenClientSpec.ocx

O17 - HKLM\System\CCS\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10

O17 - HKLM\System\CS1\Services\Tcpip\..\{08422DD0-F4AF-4740-8A75-0201C59D6AC5}: NameServer = 212.159.6.9,212.159.6.10

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccess.exe

O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe

O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/COMPAQ~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--

End of file - 8502 bytes

Link to post
Share on other sites

  • Staff

Hi,

Glad to hear things are better.. :)

Regarding the Malicious Software Removal Tool, just set the update to ignore. It's doubtful you have any malicious software left after the cleanup we did. If you would really like to investigate it further, continue with your Microsoft support ticket and they may have a solution for you. Regarding the Avenger folder, please do the following:

Link to post
Share on other sites

  • Staff

My apologies... posted prematurely.

Please download OTC by OldTimer and save it to your Desktop.

  • Double-click OTC.exe
  • Click the CleanUp! button.
  • Select Yes when the Begin cleanup Process? prompt appears.
  • If you are prompted to reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes. If it doesn't, delete it by yourself.

See if the folder is gone now.

-screen317

Link to post
Share on other sites

Sorry, but no again. New screenshots attached. When selecting the folder "krcbu1sn" the egg-timer appears for 2 or 3 seconds which usually suggests that the folder has a lot of contents for Windows to think about. And that's what Windows says when I try to delete the folder (screenshot in previous post). But listing properties says there's nothing there.

??

Avenger2.doc

Link to post
Share on other sites

  • Staff

Hi,

Please download OTM.exe by OldTimer.

  • Save it to your Desktop.
  • Please double-click OTM.exe to run it.
  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :Files
    C:\Avenger
  • Return to OTM.exe, right click in the "Paste Instructions for Items to be Moved" window (under the light yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

-screen317

Link to post
Share on other sites

Thanks, but still not nuked. OTM moved the folders but then trying to delete still fails - another screenshot attached to show current state.

Contents of OTM.exe logfile.....

========== FILES ==========

C:\Avenger\krcbu1sn folder moved successfully.

C:\Avenger folder moved successfully.

OTM by OldTimer - Version 3.1.2.0 log created on 11232009_175937

What's also surprising is that Unlocker reports successful deletion, but doesn't actually delete.

I've noticed that the link to ComboFix is now active again, so I can try downloading and running that again if you think it would help.

Avenger3.doc

Link to post
Share on other sites

  • Staff

Try this once more now; if no joy, I have another idea.

Please download OTC by OldTimer and save it to your Desktop.

  • Double-click OTC.exe
  • Click the CleanUp! button.
  • Select Yes when the Begin cleanup Process? prompt appears.
  • If you are prompted to reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes. If it doesn't, delete it by yourself.

-screen317

Link to post
Share on other sites

  • Staff

How odd.

Try this please:

Restart your computer but instead of booting into Windows, select the Recovery Console. When the black command prompt appears, select your Windows installation if prompted to, then enter this command exactly as shown below:

rmdir C:\_OTM

Press Enter. Let me know what it reports. Type Exit then press enter to restart your computer back into Windows. See if the folder still exists.

-screen317

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.