177 replies to this topic

[Conspire]

I'll be here to assist you whenever you need.

[lthsinc]

Here are the two links:

For the scan log run in safe mode: http://www.megaupload.com/?d=N1GZ5LTK

For the scan log run in normal mode: http://www.megaupload.com/?d=VNV1TS4S

Don't know if there's a difference, but just in case it helps. Thanks as always, talk w/ you soon.

[Conspire]

Files received. Reviewing it currently, I will get back to you as soon as I can. Thank you

[lthsinc]

Thanks so much for letting me know, really stressing getting this done, your help most appreciated.

[lthsinc]

Not sure if this will help, but I also just ran another Malwarebytes scan in safe mode, and it found 37 items, which is very strange, because the last scan had 9, all of which were removed. More seemed to have been generated since the computer ran all night trying to finish the OTL scan in normal mode. It was down to 0 items just the other day, then it all started again. Aaaagh! Anyway, here are the results of the most recent scan just done. (scan on this one by the free version, working from safe mode, as opposed to the fully licensed version when I'd run it plugged into my computer via a Sata drive) I'm sure if I ran another scan, some if not all of these would be back. (sigh) Looking forward to hearing from you soon. Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4948 Windows 6.0.6001 Service Pack 1 (Safe Mode) Internet Explorer 7.0.6001.18000 10/30/2010 9:20:08 AM mbam-log-2010-10-30 (09-20-08).txt Scan type: Full scan (C:\|Q:\|S:\|) Objects scanned: 376121 Time elapsed: 54 minute(s), 30 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 5 Folders Infected: 0 Files Infected: 31 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{709485a0-2b71-65f9-0290-bb99f860ca06} (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.SpyEyes) -> Data: c:\program files\lenovo\rescue and recovery\updatemonitorsrv.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.SpyEyes) -> Data: c:\program files\microsoft\desktoplayer.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.SpyEyes) -> Data: c:\windows\system32\spoolsvsrv.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.SpyEyes) -> Data: system32\spoolsvsrv.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,c:\program files\microsoft\desktoplayer.exe,c:\windows\system32\spoolsvsrv.exe,,c:\program files\lenovo\rescue and recovery\updatemonitorsrv.exe) Good: (userinit.exe) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Program Files\AOL 9.5\waolSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. C:\Program Files\Common Files\aol\1287944660\ee\aolsoftwareSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. C:\Program Files\Common Files\aol\acs\AOLacsdSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. C:\Program Files\Lenovo\Rescue and Recovery\br_funcsSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitorSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. C:\Program Files\Microsoft\DesktopLayer.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. C:\Program Files\Windows Live Toolbar\MSNTBUPSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. C:\Windows\System32\spoolsvSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. C:\Windows\System32\svchostSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. S:\preboot\NAV\EN\prescanSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. S:\preboot\opera\OperaSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. S:\preboot\python24\pythonSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. S:\preboot\rr\br_checkSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. S:\preboot\rr\pdaeasyguiSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. S:\preboot\rr\pe_masterpw_appSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. S:\preboot\rr\rrcmdSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. S:\preboot\rr\FR32\FastRestoreSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. S:\preboot\sysinfo\gather\memSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. S:\preboot\sysinfo\gather\winbiosSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. S:\preboot\usrintfc\pdaguiSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. S:\preboot\utils\bmgr32Srv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. S:\preboot\utils\delaySrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. S:\preboot\utils\dmSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. S:\preboot\utils\netsvcinstSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. S:\preboot\utils\nspectSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. S:\preboot\utils\paappSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. S:\preboot\utils\psainstSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. S:\preboot\utils\tvtbioschkSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. S:\preboot\utils\tvt_bitlocker_statusSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. S:\preboot\utils\tvt_pda_registry_importerSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully. S:\preboot\utils\ADM\netwkSrv.exe (Spyware.SpyEyes) -> Quarantined and deleted successfully.

[Conspire]

Hello, I'm afraid I have a bad news for you and unfortunately you were getting reinfected from running the backups you had previously. The following file extensions: exe, .scr, .dll, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab may be infected.

Your log shows this entry: c:\windows\system32\userinit.exe,c:\program files\microsoft\desktoplayer.exe

That file and the detections by avast is an indication of a serious viral infection known as Ramnit. For specific details about that file please refer to these threat assessments:

• Greatis Malware Analysis of DesktopLayer.exe
• Microsoft MPC Threat Research of DesktopLayer.exe

Win32/Ramnit.A / Win32/Ramnit.B are file infectors with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A or VBS/Generic. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.

• Understanding virus names
• Threat aliases for W32/Ramnit.a!35B43CB537D0
• Threat aliases for W32/Ramnit.a!5343A023502C

With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of damage can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

• When should I re-format? How should I reinstall?
• Where to draw the line? When to recommend a format and reinstall?

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

[lthsinc]

Obviously not good news, but thanks for the update. This was what I thought would be best as well, which is why I thought I had followed the instructions above and reformatted and installed a new OS using Rescue and Recovery on the computer, it was supposedly restored to the factory setup, which was prior to the infection. I then installed all the applications over as well, as all was wiped out. But since that obviously didn't work, how should Is reformat? I do not have any cd's from Lenovo, but I can order them online, so rather than redo everything from the Rescue and Recovery option, I just reinstall from the cd's? Or will this just cause the same problem/reinfection? Or is best option to get a new hard drive and install all on that?

[Conspire]

Actually, there is nothing wrong with using the recovery partition for restoring to factory setup. The only thing you have to note is that you should not touch anything from your backup. Meaning that all the backups are useless as we don't know specifically which ones are infected. That's the safest thing you could do to prevent yourself from getting reinfected. I hope those backups you had can be rebuilt from scratch. Are you saving your backups in external drive?

[lthsinc]

When I had the hard drive plugged into my computer via Sata drive, I backed up the entire My Documents folder, which brought all of that data over, and this is the only backup I have for this computer. (other than system restore, which has never been used)

[Conspire]

Ok, erase and reformat all the contents inside.

[lthsinc]

So if I do the reformat and all from the Rescue and Recovery module again, that should be ok? This is what I did, so how did it get reinfected virtually immediately after reformat and all? Was it because I put all the documents back onto the computer? If I go through this all again, would I be able to put back the normal documents? Ie-.doc, .pdf, .xls...nothing with any of the extensions you listed as being potentially infected. For the programs that I don't have cd's for, I will download fresh, and install from those. Would this be a safe approach?

[lthsinc]

Oh, and .txt...these seem to be pretty much all he has for documents. All else would be installed new.

[Conspire]

Yeah, it's because you put all the documents back onto the computer itself. When you go through all these again, it's best for you not to put those back and carefully select the ones that are not in the potential infected list of extension. Downloading fresh copy would be the safest approach.

[lthsinc]

Ok. One other thing, how about jpg files? In files where there are jpg files, there is also a db file for thumbnail views...is it ok to leave these?

[lthsinc]

Sorry, just don't want to go through this all again...so anything not on the list of extensions would be okay, correct? Again, all the files I'm talking about putting back are .doc, .xls, .jpg, .pdf, .txt, and possibly the db files with the jpg's if you say that's ok. thanks.