Download.Trojen, Backdoor.Tofger + popups and more!

[tetonbob]

Hi mookoo -

Fear not....first, I'd like you to run this tool, as there were some elements of this infection showing:

1. Download and run - bfu.zip
2. Checkmark the following boxes:
   • Use settings specified in script for the above option
   • Show log after script ends
3. Click the Web button located on the top right corner
4. Copy/Paste this url into the address bar of the Download script window:

   http://metallica.geekstogo.com/alcanshorty.bfu

5. Execute the script by clicking the Execute button.
6. When it finishes running, click the Save button for a copy of the log
7. Post the log created by the script when you have completed the fix

If that helps out the Firewall cpl, that's great...but I don't think it will. I believe your entire SharedAccess key has become corrupt, but we can rebuild it.

One step at a time...run the tool, and let me know.

[mookoo]

BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 23:17:05, on 08/03/2006

Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|winlog (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)
Failed: FolderDelete C:\DOCUME~1\Mookoo\LOCALS~1\Temp\Adobelm_Cleanup.0001.dir.0000 (operation failed)
Failed: FolderDelete C:\DOCUME~1\Mookoo\LOCALS~1\Temp\Adobelm_Cleanup.0001.dir.0002 (operation failed)
Failed: FileDelete C:\DOCUME~1\Mookoo\LOCALS~1\Temp\Photoshop Temp817628 (operation failed)
Failed: FileDelete C:\DOCUME~1\Mookoo\LOCALS~1\Temp\~DF7FDD.tmp (operation failed)
Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)
Failed: FolderDelete C:\Program Files\DNS (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)
Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)
Failed: FolderDelete C:\Program Files\winupdates (folder not found)
Failed: FolderDelete C:\Program Files\winupdate (folder not found)
Failed: FolderDelete C:\Program Files\winsupdater (folder not found)
Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)
Failed: FolderDelete C:\Program Files\MsMovies (folder not found)
Failed: FolderDelete C:\Program Files\wmplayer (folder not found)
Failed: FolderDelete C:\Program Files\outlook (folder not found)
Script completed.

The firewall problem hasn't changed...

[tetonbob]

I have attached a file to this post - look2.zip

• Download this file to your desktop.
• Double click on the zip folder
• Doubleclick look.bat and notepad will open.
• Copy and paste the contents in your next reply.

[mookoo]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001
"DoNotAllowExceptions"=dword:00000000
"DisableNotifications"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\Network Associates\\On Demand Scanner\\Scan32\\scan32.exe"="C:\\Program Files\\Common Files\\Network Associates\\On Demand Scanner\\Scan32\\scan32.exe:*:Enabled:VirusScan"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRESX.EXE"="C:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRESX.EXE:*:Enabled:Age of Empires, the Rise of Rome"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\Yahoo! Games\\Blasterball 2 Remix\\bb2remix.exe"="C:\\Program Files\\Yahoo! Games\\Blasterball 2 Remix\\bb2remix.exe:*:Disabled:bb2remix"
"C:\\Program Files\\WildTangent\\Blasterball 2\\BB2.exe"="C:\\Program Files\\WildTangent\\Blasterball 2\\BB2.exe:*:Enabled:BB2"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"="1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008"
"139:TCP"="139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002"
"3389:TCP"="3389:TCP:*:Enabled:@xpsp2res.dll,-22009"

[tetonbob]

It appears that some of your SharedAccess key is missing or corrupt.


Go to Start->Run and type in regedit and hit OK. Highlight this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess

Go to File->Export and save the key somewhere as a backup. Close the Registry Editor now.



Download this regfix:
http://windowsxp.mvps.org/reg/sharedaccess.reg (right-click and Save As)
Place it on your desktop.
Now doubleclick sharedaccess.reg
Ckick yes/ok at the prompt.

Then REBOOT!! Important!

After reboot, go to start > run and copy and paste next command in the field:

NETSH FIREWALL RESET

Click ok

Wait till the Dosprompt (black window) closes again.
Then look if you can access the firewall settings again.

[mookoo]

:D YOU ARE AMAZING!

The firewall is fixed, it was fixed before putting NETSH FIREWALL RESET into run but I did it anyway and everything is fine.

Thank you VERY much. If I ever have any money, I will consider donating some!

McAfee has not reported any more viruses for about 5 hours now so I hope thats them all gone *crosses fingers*.

:) Thank you tetonbob! <3xx

[tetonbob]

Good news, nice job!

For my own peace of mind....please run Kaspersky online scan once again. Then I will give you final housekeeping and protection instructions.

[mookoo]

It said
No malware has been detected. The sections that have been scanned are CLEAN.

WEY! Thanks again

[tetonbob]

Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address.


Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Create a new System Restore point

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• SpywareGuard to catch and block spyware before it can execute.
  
• SPYBOT - SEARCH & DESTROY
  Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  
• AD-AWARE
  Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
  
• IE-SPYAD
  IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Download IE-SpyAD - Extract the contents to a new folder
    From within the folder, double-click install.bat
    Select Option #2 - Install the new IE-SPYAD list.
    Then return to the main menu.
    Select option #4 - Add the old porn sites domain
  
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip - From within Host.zip, double click on MVPS.bat & allow it to run.
  
  
  
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  See this link for a listing of some online antivirus scanners:
  
  Anti-Spyware Tutorial
  
  Here are two very good free Antivirus products which are available:
  
• Avast!
• AVG
  
  It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

If you do not have a firewall, here are 4 free ones available for personal use:

• ZoneAlarm
• Avast Antivirus/Firewall
• Tiny Personal Firewall
• OutPost Firewall

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

Please respond to this thread one more time so we can mark this thread as resolved.

[mookoo]

Hi. Thanks for all your help! I'll keep this page bookmarked, I know my brother will definately need some of these programs.

Again, thank you, you people are like superhuman or something! If only all computer fixers were as good as you! hehe

<3mookoo