Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware keeps coming back


  • This topic is locked This topic is locked
20 replies to this topic

#1 TCel

TCel

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 12 November 2009 - 09:35 PM

I have some sort of malware or virus on my computer. My computer is:
Dell Mini XP Home Edition Version 2002, Service Pack 3, CPU 1.60 GHz, 0.99 GB Ram
I connect to the internet wirelessly.

I have run Avast! scans which found and removed several items. I have used Ad-Aware to remove some items. I have also used CCleaner that removed items. However, the main problem keeps re-occuring. Several times it appeared to be gone, but always came back within one day. It does not appear to matter which websites I visit.

The main symptom:
Websites that I normally go to take more time to do anything, and then a big browser screen with some ad pops up full screen in front. This happens in both IE7 and Firefox. These are sites I am accustomed to go to and have visited daily for months and am fairly aware of their performance on this machine. Some of these sites do not work at all, until I kill some other process. However, there is really nothing extra that is normally running, so I end up killing the Avast! On-Access scanner.
Also when I try to install Malwarebytes, the main mbam.exe is never present, so I can not run this. I am not sure if the malware is preventing normal install of this program.

In the system startup items there is always something like (from CCleaner):
Program:tipejabov
File: Rundll32.exe "c:\windows\system32\biluguki.dll",a
the name of the file varies. It was nonomasu.dll yesterday. it was wituloru.dll the day before.
I suspect it as the problem process. However, this is not a separate process on Task Manager. I can find no suspect process on Task Manager.

I can remove these from the start up, or the anti-virus program finds and removes these, and they always come back. This machine is really only used for web browsing, so this issue is an important one for me to resolve.
I would like to find out if there is anything else short of re-imaging this that I can do.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:34 AM

Posted 12 November 2009 - 10:05 PM

Hello these are Vundo (malware)files. Since the malware is affecting your ability to scan let's do it this way.

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
2. Restart your computer (very important).
3. Download and run this utility. Mbam clean
4. It will ask to restart your computer (please allow it to).
5. Due to the reboot,you need to run RKill again.
6. After the computer restarts, install the latest version from here. http://www.malwarebytes.org/mbam-download.php
Note: You will need to reactivate the program using the license you were sent.
Note: If using Free version, ignore the part about putting in your license key and activating.
Launch the program and set the Protection and Registration.
Then go to the UPDATE tab if not done during installation and check for updates.
Restart the computer again and verify that MBAM is in the task tray and run a Quick Scan and post that log.


Rerun Super post that log..We'll see what's up then.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#3 TCel

TCel
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 18 November 2009 - 10:11 PM

Sorry for not getting back sooner. I did run rkill. At first it did not seem to remove the virus. When I restarted the computer, it was still there. However, I did run it again, and after several reboots there is no sign of it the virus again.

I am running AVG Free antivirus. It appears to be okay. I had already removed Malwarebytes, and so the removal link you supplied may not have done anything. I did run it though. I have not attempted to reinstall it yet.

I hope your very valuable help has gotten rid of this worm, and that AVG can prevent it from returning. If it does somehow, I assume I can run rkill again?

Thanks

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:34 AM

Posted 18 November 2009 - 10:16 PM

I would still like for you to install and run MBAM and post a log for review to be sure. :thumbsup:
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#5 TCel

TCel
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 19 November 2009 - 10:13 PM

I installed mbam (free version), updated it, restarted, and ran a quick scan. Malwarebytes did not go in the system tray. Maybe because AVG is still installed?

The log showed vundo was still there:

Malwarebytes' Anti-Malware 1.41
Database version: 3200
Windows 5.1.2600 Service Pack 3

11/19/2009 7:06:04 PM
mbam-log-2009-11-19 (19-06-04).txt

Scan type: Quick Scan
Objects scanned: 107837
Time elapsed: 6 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\lejivaya.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:34 AM

Posted 19 November 2009 - 11:10 PM

Hi, Vundo is stubborn and may take several scans and/or tools.

Let's do this and see if we can kill it. First a safe mode then a normal mode.

b]Next run ATF and SAS:[/b]
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Now that your in normal mode. Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Please ask any needed questions,post 2 logs and Let us know how the PC is running now.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#7 TCel

TCel
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 20 November 2009 - 10:28 AM

I downloaded those 2 items and ran them. Afterwards updated and ran MBAM. Everything came up negative. :thumbsup:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/19/2009 at 11:55 PM

Application Version : 4.30.1004

Core Rules Database Version : 4295
Trace Rules Database Version: 2166

Scan type : Complete Scan
Total Scan Time : 01:36:42

Memory items scanned : 214
Memory threats detected : 0
Registry items scanned : 4311
Registry threats detected : 0
File items scanned : 33925
File threats detected : 0


Malwarebytes' Anti-Malware 1.41
Database version: 3201
Windows 5.1.2600 Service Pack 3

11/20/2009 7:20:41 AM
mbam-log-2009-11-20 (07-20-41).txt

Scan type: Quick Scan
Objects scanned: 103122
Time elapsed: 4 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



So I think I am fine. :flowers:
I now have AVG Free and Superantispyware in my system tray. Should I uninstall one or more of these? Which of the programs would best to keep running (AVG Free, SuperAntiSpyware, MBAM, Ad-Aware). I also would like to remove AVG toolbar from my browser. This is a netbook with a 9" screen, and very limited disk (really flash) storage.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:34 AM

Posted 20 November 2009 - 01:06 PM

Hi you can keep SAS and MBAm ,update weekly and scan. Uninstall AdAware. Can you remove the Toolbar in the Control Panel,,Add Remove Programs?

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#9 TCel

TCel
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 20 November 2009 - 10:34 PM

Okay. I did do that.
Thanks so much!

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:34 AM

Posted 20 November 2009 - 11:08 PM

You're most welcome,as new malware is getting stronger and harder to remove, please take a moment to read quietman7's excellent prevention tips in post 6 here
Click >>>> Tips to protect yourself against malware:
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#11 TCel

TCel
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 24 November 2009 - 12:32 AM

This malware is gone.

Today, just after I updated Superantispyware, I got another thing that mimicked an antispyware program in my system tray. It tried everything to prevent me from running a scan, putting up about 4 types of messages that were trying to make me believe they came from Windows and a legit program, and when it failed, a Porn site. SuperAntispyware got rid of it from the system tray, but now I cannot connect to the internet with IE or with the update or links in Superantispyware or MBAM. I ran both a quick and a deep scan with SAS and a quick scan with MBAM. I can connect with Firefox. How weird is that?

I will try to reboot in safe mode and run a scan again. Maybe it will fix the issue with IE.

This is what SAS found:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/23/2009 at 08:24 PM

Application Version : 4.31.1000

Core Rules Database Version : 4295
Trace Rules Database Version: 2166

Scan type : Quick Scan
Total Scan Time : 00:15:20

Memory items scanned : 426
Memory threats detected : 1
Registry items scanned : 460
Registry threats detected : 40
File items scanned : 18874
File threats detected : 45

Trojan.Agent/Gen-FakeSpy[Broad-1]
C:\DOCUMENTS AND SETTINGS\NICOLA\LOCAL SETTINGS\APPLICATION DATA\AFYFJU\KRKJSYSGUARD.EXE
C:\DOCUMENTS AND SETTINGS\NICOLA\LOCAL SETTINGS\APPLICATION DATA\AFYFJU\KRKJSYSGUARD.EXE
[onoyltpw] C:\DOCUMENTS AND SETTINGS\NICOLA\LOCAL SETTINGS\APPLICATION DATA\AFYFJU\KRKJSYSGUARD.EXE
[onoyltpw] C:\DOCUMENTS AND SETTINGS\NICOLA\LOCAL SETTINGS\APPLICATION DATA\AFYFJU\KRKJSYSGUARD.EXE
C:\WINDOWS\Prefetch\KRKJSYSGUARD.EXE-2B8FB94D.pf

Adware.Tracking Cookie
C:\Documents and Settings\Nicola\Cookies\nicola@serving-sys[1].txt
C:\Documents and Settings\Nicola\Cookies\[email protected][1].txt
C:\Documents and Settings\Nicola\Cookies\[email protected][1].txt
C:\Documents and Settings\Nicola\Cookies\[email protected][1].txt
C:\Documents and Settings\Nicola\Cookies\[email protected][2].txt
C:\Documents and Settings\Nicola\Cookies\[email protected][2].txt
C:\Documents and Settings\Nicola\Cookies\nicola@zedo[2].txt
C:\Documents and Settings\Nicola\Cookies\nicola@specificmedia[1].txt
C:\Documents and Settings\Nicola\Cookies\[email protected][2].txt
C:\Documents and Settings\Nicola\Cookies\nicola@mediaplex[1].txt
C:\Documents and Settings\Nicola\Cookies\nicola@statcounter[2].txt
C:\Documents and Settings\Nicola\Cookies\nicola@xiti[1].txt
C:\Documents and Settings\Nicola\Cookies\nicola@advertising[1].txt
C:\Documents and Settings\Nicola\Cookies\nicola@doubleclick[1].txt
C:\Documents and Settings\Nicola\Cookies\nicola@burstnet[2].txt
C:\Documents and Settings\Nicola\Cookies\nicola@insightexpressai[1].txt
C:\Documents and Settings\Nicola\Cookies\nicola@tribalfusion[2].txt
C:\Documents and Settings\Nicola\Cookies\[email protected][2].txt
C:\Documents and Settings\Nicola\Cookies\nicola@atdmt[1].txt
C:\Documents and Settings\Nicola\Cookies\[email protected][1].txt
C:\Documents and Settings\Nicola\Cookies\nicola@77tracking[2].txt
C:\Documents and Settings\Nicola\Cookies\nicola@247realmedia[1].txt
C:\Documents and Settings\Nicola\Cookies\[email protected][1].txt
C:\Documents and Settings\Nicola\Cookies\[email protected][1].txt
C:\Documents and Settings\Nicola\Cookies\nicola@imrworldwide[2].txt
C:\Documents and Settings\Nicola\Cookies\[email protected][2].txt
C:\Documents and Settings\Nicola\Cookies\[email protected][1].txt
C:\Documents and Settings\Nicola\Cookies\nicola@eyewonder[1].txt
C:\Documents and Settings\Nicola\Cookies\nicola@realmedia[1].txt
C:\Documents and Settings\Nicola\Cookies\nicola@specificclick[1].txt
C:\Documents and Settings\Nicola\Cookies\nicola@lucidmedia[1].txt
C:\Documents and Settings\Nicola\Cookies\nicola@questionmarket[1].txt
C:\Documents and Settings\Nicola\Cookies\[email protected][1].txt
C:\Documents and Settings\Nicola\Cookies\nicola@pointroll[2].txt
C:\Documents and Settings\Nicola\Cookies\[email protected][1].txt
C:\Documents and Settings\Nicola\Cookies\nicola@advertiseyourgame[1].txt
C:\Documents and Settings\Nicola\Cookies\[email protected][1].txt
C:\Documents and Settings\Nicola\Cookies\[email protected][2].txt
C:\Documents and Settings\Nicola\Cookies\[email protected][2].txt
C:\Documents and Settings\Nicola\Cookies\nicola@fastclick[2].txt
C:\Documents and Settings\Nicola\Cookies\nicola@game-advertising-online[1].txt
C:\Documents and Settings\Nicola\Cookies\nicola@apmebf[1].txt
C:\Documents and Settings\Nicola\Cookies\nicola@interclick[1].txt

Rogue.Agent/Gen
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#knkd
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#aazalirt
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#skaaanret
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#jungertab
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#zibaglertz
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#iddqdops
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#ronitfst
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#tobmygers
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#jikglond
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#tobykke
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#klopnidret
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#jiklagka
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#salrtybek
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#seeukluba
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#jrjakdsd
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#krkdkdkee
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#dkewiizkjdks
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#dkekkrkska
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#rkaskssd
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#kuruhccdsdd
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#krujmmwlrra
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#kkwknrbsggeg
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#ktknamwerr
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#iqmcnoeqz
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#ienotas
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#krkmahejdk
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#otpeppggq
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#krtawefg
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#oranerkka
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#kitiiwhaas
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#otowjdseww
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#otnnbektre
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#oropbbsee
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#irprokwks
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#ooorjaas
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#id
HKU\S-1-5-21-3765838937-3917854033-93612233-1006\SOFTWARE\AVSCAN#ready


Edited by TCel, 24 November 2009 - 12:34 AM.


#12 TCel

TCel
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 24 November 2009 - 01:07 AM

I used the restore point I created after Vundo was removed to get rid of this effect.
I updated SAS and MBAM and created a new restore point. I also have bought the paid version of SAS, since they were having a special today. I got it for another computer, too. I really need it for 3 or 4.

Edited by TCel, 24 November 2009 - 10:47 AM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:34 AM

Posted 24 November 2009 - 11:28 AM

Hi, what antivirus and firewall are running.. This is an odd occurance.. I would like you to run another quicck scan. Just to clarify did MBAM run? if not use the RKill tool first.

Run part 1 of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#14 TCel

TCel
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 24 November 2009 - 08:53 PM

At the time this happened I had SuperAntiSpyware (free version) running. It was in the system tray. MBAM should also have been running (when I clicked on it, it said it was already running, also it is in the startup list). Also AVG free should have been running, although I did not see it there when I noticed the fake anti-spyware in the system tray (it had a different icon). The default windows (XP) firewall was running and enabled, as well as whatever firewall is on my wireless router. I have since desinstalled AVG since it is redundant, and it got taken over or replaced by this thing in system tray.
After I ran SAS yesterday in quickscan, and it removed what I posted, I also ran MBAM. It ran fine, but did not find anything. I ran SAS in complete mode, and it found one malware tracking cookie. However, I had that IE and url connection issue, so I restored from the checkpoint of a couple of days ago.

This is the output of the latest tool you asked me to run:

SmitFraudFix v2.424

Scan done at 17:40:13.31, Tue 11/24/2009
Run from C:\Documents and Settings\Nicola\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Battery Meter\BTMeter.exe
C:\Program Files\Wireless Select Switch\WLSS.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Nicola\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Nicola


C:\DOCUME~1\Nicola\LOCALS~1\Temp


C:\Documents and Settings\Nicola\Application Data


Start Menu


C:\DOCUME~1\Nicola\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{799e3bdf-256c-4d8a-bc05-e24b3e6a66a0}"="kupuhivus"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{62ae4edd-2e00-413a-8b88-a81fa8c1705e}"="gahurihor"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{06b66e62-1c26-4e3c-951e-151a86068871}"="mujuzedij"



AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="riwakabe.dll c:\\windows\\system32\\wikufalu.dll"
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




DNS

Description: Broadcom 802.11g Network Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{B629B906-86A7-4373-B680-1C8643A38F33}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B629B906-86A7-4373-B680-1C8643A38F33}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B629B906-86A7-4373-B680-1C8643A38F33}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


Scanning for wininet.dll infection


End




#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:34 AM

Posted 25 November 2009 - 12:00 AM

Hi we need to run part 2 the cleaner.. These are the second time i 've seen this this week.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users