Solved Virus or rootkit haunts me
- Thread starter RRackman
- Start date
- Status
ESET running
So ESET is running (91%) and I see a reference to Win32/Toolbar.ASkSBar application. . .
While the scan is finishing I use my wife's computer to lookup what this is, I was at Googles page and before I can pick a link I see Malwarebytes pop up that it has blocked an outgoing attempt on port 137 to a malicious website !
So now two of my three computers seem to be having the same problem. My wife doesn't go anywhere besides the bank, cooking network and the MSN homepage. Where the heck is this coming from? and why is it so hard to track down?
Oh, and I see that Eset is up to 4 infections the other three (so far) are all Win32/Agent.FFBHKCV, IKXWWSP, and WZUFLD trojans.
I will of course post the final log but thought it was worthwhile to update the situation.
So ESET is running (91%) and I see a reference to Win32/Toolbar.ASkSBar application. . .
While the scan is finishing I use my wife's computer to lookup what this is, I was at Googles page and before I can pick a link I see Malwarebytes pop up that it has blocked an outgoing attempt on port 137 to a malicious website !
So now two of my three computers seem to be having the same problem. My wife doesn't go anywhere besides the bank, cooking network and the MSN homepage. Where the heck is this coming from? and why is it so hard to track down?
Oh, and I see that Eset is up to 4 infections the other three (so far) are all Win32/Agent.FFBHKCV, IKXWWSP, and WZUFLD trojans.
I will of course post the final log but thought it was worthwhile to update the situation.
Ready for normal
You know, at this point, I am just looking to get back to some semblance of normalcy.
So the threats that ESET is finding are relatively new you think? Brought in by an infected router. Which would explain why McAfee and MB are not detecting anything?
Here is the log from ESET (finished).
C:\Temp\Temp\Nero-7.11.10.0_all_update.exe Win32/Toolbar.AskSBar application
C:\Users\Remo Rackman\Documents\Downloads\Mobile\Window-Mobile-Best-Seller-Applications-with-Serial-Code\sktools4322_setup.exe probably a variant of Win32/Agent.WZUFLD trojan
C:\Users\Remo Rackman\Documents\Downloads\Mobile\Window-Mobile-Best-Seller-Applications-with-Serial-Code\SpbMobileShell_2.1.2_setup_pocketgear.exe probably a variant of Win32/Agent.IKXWWSP trojan
C:\Users\Remo Rackman\Documents\Downloads\Mobile\Window-Mobile-Best-Seller-Applications-with-Serial-Code\SpbPocketPlus4.0.2_setup.exe probably a variant of Win32/Agent.FFBHKCV trojan
You know, at this point, I am just looking to get back to some semblance of normalcy.
So the threats that ESET is finding are relatively new you think? Brought in by an infected router. Which would explain why McAfee and MB are not detecting anything?
Here is the log from ESET (finished).
C:\Temp\Temp\Nero-7.11.10.0_all_update.exe Win32/Toolbar.AskSBar application
C:\Users\Remo Rackman\Documents\Downloads\Mobile\Window-Mobile-Best-Seller-Applications-with-Serial-Code\sktools4322_setup.exe probably a variant of Win32/Agent.WZUFLD trojan
C:\Users\Remo Rackman\Documents\Downloads\Mobile\Window-Mobile-Best-Seller-Applications-with-Serial-Code\SpbMobileShell_2.1.2_setup_pocketgear.exe probably a variant of Win32/Agent.IKXWWSP trojan
C:\Users\Remo Rackman\Documents\Downloads\Mobile\Window-Mobile-Best-Seller-Applications-with-Serial-Code\SpbPocketPlus4.0.2_setup.exe probably a variant of Win32/Agent.FFBHKCV trojan
Broni
Posts: 56,041 +516
Eset findings are never a big deal at this stage of a cleaning process, because we already eliminated all active malicious processes and files.
These are not active files.
1st one is an adware, which legally came as drive-by-install with Nero.
The other three look like some illegal download done by someone.
In any case we'll remove them.
==================================================================
Run OTL
=========================================================================
When done....
Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista and Windows 7, while holding CTRL, and SHIFT, press Enter).
In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"
Turn the computer off.
On your router, you'll find a pinhole marked "Reset".
Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
NOTE. Simple router disconnecting from a power source will NOT do.
Restart computer and check for that suspicious activity, you reported before.
NOTE. You may need to re-check your router security settings, as described HERE
These are not active files.
1st one is an adware, which legally came as drive-by-install with Nero.
The other three look like some illegal download done by someone.
In any case we'll remove them.
==================================================================
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
Code::OTL :Services :Reg :Files C:\Temp\Temp\Nero-7.11.10.0_all_update.exe C:\Users\Remo Rackman\Documents\Downloads\Mobile\Window-Mobile-Best-Seller-Applications-with-Serial-Code\sktools4322_setup.exe C:\Users\Remo Rackman\Documents\Downloads\Mobile\Window-Mobile-Best-Seller-Applications-with-Serial-Code\SpbMobileShell_2.1.2_setup_pocketgear.exe C:\Users\Remo Rackman\Documents\Downloads\Mobile\Window-Mobile-Best-Seller-Applications-with-Serial-Code\SpbPocketPlus4.0.2_setup.exe :Commands [purity] [emptytemp] [emptyflash] [Reboot] - Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- You will get a log that shows the results of the fix. Please post it.
=========================================================================
When done....
Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista and Windows 7, while holding CTRL, and SHIFT, press Enter).
In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"
Turn the computer off.
On your router, you'll find a pinhole marked "Reset".
Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
NOTE. Simple router disconnecting from a power source will NOT do.
Restart computer and check for that suspicious activity, you reported before.
NOTE. You may need to re-check your router security settings, as described HERE
DSL router reset
Of all the processes involved, resetting the router had to be the worst (ack).
I forgot that when I do a hard reset on the dsl box it wants to 're-authorize' with Verizon/Frontier. . .
FYI (if you didn't know) you HAVE to use IE, 192.168.1.1/frontier/redirect.htm
user is "admin", password is "password" Had to phone in for that little tidbit even though I have done it so many times I forgot the IE requirement.
So, I am back online and am waiting to see if any more alerts come up. . .
Of all the processes involved, resetting the router had to be the worst (ack).
I forgot that when I do a hard reset on the dsl box it wants to 're-authorize' with Verizon/Frontier. . .
FYI (if you didn't know) you HAVE to use IE, 192.168.1.1/frontier/redirect.htm
user is "admin", password is "password" Had to phone in for that little tidbit even though I have done it so many times I forgot the IE requirement.
So, I am back online and am waiting to see if any more alerts come up. . .
update on performance
i have solved the non-functioning clickable links in email and within programs (such as McAfee). Apparently when I uninstalled Google Chrome as part of my initial attempt to isolate my problem it caused a registry problem (a known issue according to the forum I found references on. I found the best solution looking through Microsoft's website and choosing the "Let us fix it" solution.(http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q310049)
Apparently, searching Microsoft again, there was an update to Outlook 2007 two days ago and at least one other user is experiencing the same issue I am, slow response moving between folders. Unfortunately there is not solution or even comment yet on the issue (http://social.answers.microsoft.com...l/thread/a1bcd042-e627-4dae-b7a3-361204573dda).
BUT, at least I have not seen and alerts or suspicious activities (Yay!)
Oh, and I found that McAfee was silently blocking access to geekstogo.com. . .? I have no idea why, I had to check the IP to see what was being blocked and made an exception for it.
I will post another update later, It has been a looong week and a longer day. I really appreciate the help and hopefully things will continue to get better.
i have solved the non-functioning clickable links in email and within programs (such as McAfee). Apparently when I uninstalled Google Chrome as part of my initial attempt to isolate my problem it caused a registry problem (a known issue according to the forum I found references on. I found the best solution looking through Microsoft's website and choosing the "Let us fix it" solution.(http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q310049)
Apparently, searching Microsoft again, there was an update to Outlook 2007 two days ago and at least one other user is experiencing the same issue I am, slow response moving between folders. Unfortunately there is not solution or even comment yet on the issue (http://social.answers.microsoft.com...l/thread/a1bcd042-e627-4dae-b7a3-361204573dda).
BUT, at least I have not seen and alerts or suspicious activities (Yay!)
Oh, and I found that McAfee was silently blocking access to geekstogo.com. . .? I have no idea why, I had to check the IP to see what was being blocked and made an exception for it.
I will post another update later, It has been a looong week and a longer day. I really appreciate the help and hopefully things will continue to get better.
Broni
Posts: 56,041 +516
I'm glad to hear good news 
Let's finish our cleaning procedure....
I need you to run OTL fix from my reply #32.
Then....
Your computer is clean
1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:
Run OTL
2. Now, we'll remove all tools, we used during our cleaning process
Clean up with OTL:
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
3. Make sure, Windows Updates are current.
4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!
5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.
6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.
7. Run Temporary File Cleaner (TFC) weekly.
8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.
9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.
10. Run defrag at your convenience.
11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
12. Please, let me know, how your computer is doing.
Let's finish our cleaning procedure....
I need you to run OTL fix from my reply #32.
Then....
Your computer is clean
1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following:
Code:
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Post resulting log.
2. Now, we'll remove all tools, we used during our cleaning process
Clean up with OTL:
- Double-click OTL.exe to start the program.
- Close all other programs apart from OTL as this step will require a reboot
- On the OTL main screen, press the CLEANUP button
- Say Yes to the prompt and then allow the program to reboot your computer.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
3. Make sure, Windows Updates are current.
4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!
5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.
6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.
7. Run Temporary File Cleaner (TFC) weekly.
8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.
9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.
10. Run defrag at your convenience.
11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
12. Please, let me know, how your computer is doing.
OTL log (latest)
I ran your cleanup script again from post #32, rebooted, and then ran the latest script. Here is the log from the latest run.
All processes killed
========== OTL ==========
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Ben
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Public
->Temp folder emptied: 0 bytes
User: Remo Rackman
->Temp folder emptied: 72378 bytes
->Temporary Internet Files folder emptied: 39824 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 2756937 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 456 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 175595 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 3.00 mb
[EMPTYFLASH]
User: All Users
User: Ben
->Flash cache emptied: 0 bytes
User: Default
User: Default User
User: Public
User: Remo Rackman
->Flash cache emptied: 0 bytes
Total Flash Files Cleaned = 0.00 mb
OTL by OldTimer - Version 3.2.17.3 log created on 12182010_094839
Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\logishrd\LVPrcInj01.dll scheduled to be moved on reboot.
Registry entries deleted on Reboot...
Getting ready to perform clean up
I ran your cleanup script again from post #32, rebooted, and then ran the latest script. Here is the log from the latest run.
All processes killed
========== OTL ==========
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Ben
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Public
->Temp folder emptied: 0 bytes
User: Remo Rackman
->Temp folder emptied: 72378 bytes
->Temporary Internet Files folder emptied: 39824 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 2756937 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 456 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 175595 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 3.00 mb
[EMPTYFLASH]
User: All Users
User: Ben
->Flash cache emptied: 0 bytes
User: Default
User: Default User
User: Public
User: Remo Rackman
->Flash cache emptied: 0 bytes
Total Flash Files Cleaned = 0.00 mb
OTL by OldTimer - Version 3.2.17.3 log created on 12182010_094839
Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\logishrd\LVPrcInj01.dll scheduled to be moved on reboot.
Registry entries deleted on Reboot...
Getting ready to perform clean up
Clean up done
I still had a lot of log files and scan programs after running OTL cleanup but they are now gone.
Checked the McAfee log and I do not see any blocked connection attempts since last night (before the router reboot).
Everything seems to be on track with the exception of Outlook being very sluggish (have no received any notification of a fix for the "fix"
From the scanner logs, do you have any indication of whether the issue with the router resulted from computer infection or straight from the Net?
Should I be worried about compromised data from what was found on the computer? (I think I will be canceling shared access to my computer from here on out!)
Thank you again for the excellent help and your quick responses, it makes a big difference when a person is trying to get back to normalcy!!!
I still had a lot of log files and scan programs after running OTL cleanup but they are now gone.
Checked the McAfee log and I do not see any blocked connection attempts since last night (before the router reboot).
Everything seems to be on track with the exception of Outlook being very sluggish (have no received any notification of a fix for the "fix"
From the scanner logs, do you have any indication of whether the issue with the router resulted from computer infection or straight from the Net?
Should I be worried about compromised data from what was found on the computer? (I think I will be canceling shared access to my computer from here on out!)
Thank you again for the excellent help and your quick responses, it makes a big difference when a person is trying to get back to normalcy!!!
Donation
I wasn't much but I wanted to express my appreciation for all your help and have sent you a donation through PayPal. I hope I never need to come back for help but if I do, . .
I will post again in a day or so with another update (sooner if an issue arises).
Thank you
I wasn't much but I wanted to express my appreciation for all your help and have sent you a donation through PayPal. I hope I never need to come back for help but if I do, . .
I will post again in a day or so with another update (sooner if an issue arises).
Thank you
Mystery folder opening
Well I do not think it is a virus, I have narrowed it down to an issue with Windows Sync Center.
I had my phone plugged in; charging and syncing and this seems to be the culprit. It will open the C:/Windows/System32 folder every time the sync starts (it does it automatically every 15 minutes) I had forgotten about the phone and kept seeing the folder open up without any input.
Once I disconnect the phone the issue goes away. It did not do that before but I do not know if it is an issue on the phone end or a setting that has been changed during the cleaning.
Not a bid deal now that I know it is not something malicious. I will search and see if it might ALSO be related to the latest rollout of patches from Microsoft (as was the sluggish Outlook problem).
Well I do not think it is a virus, I have narrowed it down to an issue with Windows Sync Center.
I had my phone plugged in; charging and syncing and this seems to be the culprit. It will open the C:/Windows/System32 folder every time the sync starts (it does it automatically every 15 minutes) I had forgotten about the phone and kept seeing the folder open up without any input.
Once I disconnect the phone the issue goes away. It did not do that before but I do not know if it is an issue on the phone end or a setting that has been changed during the cleaning.
Not a bid deal now that I know it is not something malicious. I will search and see if it might ALSO be related to the latest rollout of patches from Microsoft (as was the sluggish Outlook problem).
- Status
Similar threads
Latest posts
-
Sound comes 1 sec delayed in the beginnig- hdeveci replied
-
These credit cards feature OLEDs that light up upon payment- techstrike replied
