 Infected W/ Virtumonde..., and God knows what else...spybot question also... |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.
To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.
  |
  Nov 19 2007, 01:13 AM
Post
#1
|
|
 Member  Group: Members Posts: 23 Joined: 25-April 05 From: Rhode Island Member No.: 18,140  |
It all started when I downloaded a program...my gut told me not to do it...I should have listened. ****Here are my main symptoms: -Began w/ random audio clips being played (even a commercial for Twix...?!) and random internet page pop-unders,...THEN, the fun really began... -The fake error notices started popping up=fake error ballons in the task bar, fake error windows...I don't even know what is real or fake anymore, so I don't click anything (actually, never have, isn't that the way you activate a lot of these things?) - I have new desktop icons appearing...some are for "casinos" or"hot dates"...neither of which I need and/or want, btw...the others are imposters of the traditional Windows "sheild" icons...except these two are blue and green...both say something about internet security center or something...they are both located in my start menu, and both link to this website, kukka or something like that (as I said before, no I do not click on these things, I checked their origin by right clicking and checking the properties label...smart huh? I hope sooo...) - In addition to my newly acquired desktop icons, the icons and taskbar also like to do a disappearing act...and usually upon startup, I have the message on my desktop about "restore active desktop"...which I did click...but am now regretting, because it probably is fake too... ****Here is what I have done to TRY to fix the problem (obviously unsuccessfully): 1. I have downloaded and run Ad-Aware 2007, deleting what it finds, restarting after each time, until nothng is found 2. I downloaded and run Spybot, until nothing was found...each time, however, it is not long until ether one of these programs (Ad Aware and S+D) detects something again...I also have a question about Spybot--I sit there for a few minutes trying to decide on whether to allow some changes, or deny them...how do you know? There are so many popping up sometimes, and I don't want to do the wrong thing! 3. I downloaded Stinger, which I ran once....at this point, it becomes blurry because I am really getting frustrated...it takes me so long to even start up the laptop, and when I tried to shut it down today, it just kept telling me to contact an admin, that I was not authorized or something like that... 4. Another thing I did was update and scan with my Trend Micro, and installed SpySweeper...noth detected the problems, and claimed to fix them, but I am still having serious issues that are only getting worse, and those pesky desktop icons are still there...I will try to update my Java tomorrow, but that will not solve the problem by itself, right? So, with that said, here are my questions: 1. How do you know if a problem is beyond help and needs to be taken to a professional...I am seeing on the spybot alerts a lot of registry and startup changes... 2. How hard is this going to be if I do it myself? I am decent with computers, but definitely not with viruses, I have never come across this before 3. Can the virus do its "dirty work" while my computer is off? Oh God please say no... FYI...I am coming to you via my parent's laptop right now, because I do not even want to turn mine on...it turns my stomach to see it infiltrated like that PLEASE HELP ME!!!!!!!! This post has been edited by JWUequine08: Nov 19 2007, 01:18 AM |
 |
 
|
 Nov 19 2007, 03:17 AM
Post
#2
|
|
|
a forum member Group: Members Posts: 2,360 Joined: 27-August 07 Member No.: 153,171 |
try this little gem
http://www.superantispyware.com/ you want the free version home users fully update it ,suggest reboot into safe mode and run it on a full deep scan ; see what garbage it reports  what DID stinger flag up? and do you have the latest version of it (sept 07) and your antivirus program is??what? and other protection on there? maybe a lesson to be learnt from this ; if in doubt DO NOT CLICK!!!! (of interest, may we know which program you DID download please?) also is system restore enabled at present ? |
|
|
|
|
Nov 19 2007, 09:57 AM
Post
#3
|
|
|
Member Group: Members Posts: 23 Joined: 25-April 05 From: Rhode Island Member No.: 18,140 |
QUOTE(ruby1 @ Nov 19 2007, 03:17 AM)  try this little gem http://www.superantispyware.com/ you want the free version home users fully update it ,suggest reboot into safe mode and run it on a full deep scan ; see what garbage it reports what DID stinger flag up? and do you have the latest version of it (sept 07) and your antivirus program is??what? and other protection on there? maybe a lesson to be learnt from this ; if in doubt DO NOT CLICK!!!! (of interest, may we know which program you DID download please?) also is system restore enabled at present ? okay, here are the answers to your questions: -I ran super antispyware previously, and it did find some things, but I do not know exactly what-I di know that the problems stil persisted though...I am running it again as we speak -STINGER: yes, i have the latest version...am I supposed to run this in sfae mode as well?...I figured that I would run it right after I do super antispyware, since I am already in safe mode, and it takes my computer FOREVER to boot up... I will report the results of the above after they are completed... -ANTIVIRUS: Trend Micro -other protection: added SpySweeper (product by webroot) AFTER the infection -yes, do not ever click on anything! I have always prided myself in being a non-clicker lol...even with the occasional pop up, I would never click the X, because if it is a popup, the X does not actually get rid of it, just activiates it..but I don't ned to tell YOU that lol -the program I d/l was Xara Xtreme, a 30 day trial...my problem was that I got it P2P off of ARES...bad, bad thing, I know  -as per many suggestions I have seen on here, I have disabled system restore... ________________________________________________________________________________ __________________________________________________ so, now that my laptop is up and running while being scanned (I am on the other laptop right now), I figured it was a good time to give some of the exact descriptions of some of the messages I am getting: some of the more recent ones are pertaining to files, these usually turn up upon startup, and the description sounds to me like something is trying to access this file, and I assure you, it is not me...lol... "C:\WINDOWS\shell.exe: Windows cannot find 'C:\WINDOWS\shell.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search." maybe I made the wrong decision when allowing or denying something Spybot brought up? Was this file deleted by accident? Do I need it? I get the same message with another file name, but it is not up right now, so I do not remember what it is...heck, I'm not even sure that this is a system message! The messages I definitely KNOW to be fake are bubbles popping up from my taskbar (complete with blinking yellow triangle ! sign)...and another few that pop up in windows telling me to click here to get the latest "anti spyware blah blah blah"...rigggght, let me click there, great idea...I mean come on OH! and another I just remembered is my newly aquired toolbar....SECURITY TOOLBAR 7.1...also, when online (which I try to avoid), if I am looking at a page, a new window pops up and starts to go to that website...let me see if I can get the address...here: kukkakreck.com/ceph,oin/?cmp=h5lid=1_.....that is all I can see from the properties tab, that is from the icons on my desktop, but I think when I am redirected to a new window, that is the exact site it tries to bring me to I also have 2 new notepad icons on my desktop, labeled hs_err_pid1132 and hs_err_pid2764...I have not touched these, I do not know what they contain... I will post the results of my super antispyware and stinger scans momentarily, I am very sorry this is a ton of information for whoever has to decifer...If I can help in any way to make it easier, please let me know! I look forward to hearing from someone...ANYONE!...::sigh:: |
|
|
|
|
Nov 19 2007, 10:21 AM
Post
#4
|
|
|
Member Group: Members Posts: 23 Joined: 25-April 05 From: Rhode Island Member No.: 18,140 |
okay, super anti spyware just finished...here is what it found:
in my files: Adaware Tracking Cookies: C:\Documents and Settings\Elizabeth\Cookies\elizabeth@19452074[2].txt C:\Documents and Settings\Elizabeth\Cookies\elizabeth@doubleclick[1].txt C:\Documents and Settings\Elizabeth\Cookies\elizabeth@login.tracking101[2].txt C:\Documents and Settings\Elizabeth\Cookies\elizabeth@sexbuddies[2].txt - ahem...perhaps the most disturbing one yet Trace Known Threat Sources:Files: C:\Documents and Settings\Elizabeth\Cookies\Local Settings\Temporary Intetnet Files\Content.IE5\5BIXJ622\rd-fakeout2-720x300[1].gif Is that one of the fake alerts I am getting? Off to run Stinger now... |
|
|
|
|
Nov 19 2007, 10:27 AM
Post
#5
|
|
 Bleepin' Janitor Group: Global Moderator Posts: 14,074 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513 |
QUOTE Infected W/ Virtumonde..., Did you follow the the instructions for using Vundofix in BC's self-help tutorial: "How To Remove Vundo/Winfixer Infection"?QUOTE my newly aquired toolbar....SECURITY TOOLBAR 7.1 This is more malware. Please print out and follow the generic instructions for using SmitfraudFix in BC's self-help tutorial "How to remove the Smitfraud/Generic Zlob".(scroll down to where it says Removal Instructions; ignore the part that shows symptoms in a HijackThis log as they will not apply your case.) If you have downloaded SmitfraudFix previously, please delete that version and download it again as the tool is frequently updated! shell.exe = W32/Mytob-CA worm. From what you describe in regards to the error message, the file is probably an orphaned entry related this malware that was set to run at startup. Windows is trying to load this file but cannot locate it since the file may have been removed during an anti-virus scan, the uninstall of a program or use of a specialized fix tool. However, an associated registry entry remains and is telling Windows to load the file when you boot up. When Windows loads, it looks for any files associated with registry entries for programs that are set to run at startup. If the file was removed but not the registry entry, Windows will display an error message indicating that the file was not found. You need to remove this registry entry so Windows stops searching for the program when it loads. To resolve this download and run Autoruns, search for the related entry and then delete it.
Why scan in safe mode: The Windows operating system protects files when they are being accessed by an application or a program. Malware writers create programs that can insert itself and hide in these protected areas when the files are being used. Using "Safe Mode" to perform your scans reduces the number of modules requesting files to only the essentials to make your computer functional. This in turn reduces the number of hiding places for malware, making it easier to find and delete the offending files when performing scans with anti-virus and anti-malware tools. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?"
Microsoft MVP - Windows Security 2007-2009  |
|
|
|
|
Nov 19 2007, 10:29 AM
Post
#6
|
|
|
Bleepin' Janitor Group: Global Moderator Posts: 14,074 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513 |
Your previous post I did not see when posting my reply.
When done with the above, do this: Please download ATF Cleaner by Atribune & save it to your desktop.
-------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?"
Microsoft MVP - Windows Security 2007-2009 |
|
|
|
|
Nov 19 2007, 10:31 AM
Post
#7
|
|
|
Member Group: Members Posts: 23 Joined: 25-April 05 From: Rhode Island Member No.: 18,140 |
ok great, I will try exactly what you said...
I do have a questions about Spybot, though...HOW do I know what to allow and what to deny? I just don't want to make any mistakes allowing something I don't want, or denying something I DO want...does this program only alert me to harmful things, so I can just deny everything? I am very confused about this and, when I start up, I get the message about not being connected to the internet, and to work offline, or try again..i currently have my wireless off so it cannot connect without me knowing, but I have never gotten this message before this...not all the time anyway, maybe once in a great while This post has been edited by JWUequine08: Nov 19 2007, 10:33 AM |
|
|
|
|
Nov 19 2007, 10:34 AM
Post
#8
|
|
|
Member Group: Members Posts: 23 Joined: 25-April 05 From: Rhode Island Member No.: 18,140 |
answered my own question on this one
This post has been edited by JWUequine08: Nov 19 2007, 10:40 AM |
|
|
|
|
Nov 19 2007, 10:38 AM
Post
#9
|
|
|
Member Group: Members Posts: 23 Joined: 25-April 05 From: Rhode Island Member No.: 18,140 |
woah, I am so sorry for alllll the replies....but NOW, I just installed sygate firewall, and am getting requests for internet access (I turned on the connection so I could update my Virus software...again)...I really have a hard time deciding what to allow...are there some kind of guidelines somewhere for this kind of thing (in addition to spybot also?)??
|
|
|
|
|
Nov 19 2007, 10:42 AM
Post
#10
|
|
|
Bleepin' Janitor Group: Global Moderator Posts: 14,074 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513 |
Follow the instructions I provided in post #5 and also run ATFCleaner as advised in post #6. Don't worry about what to allow or deny with Spybot or your firewall right now. Clean your system of the malware. If you continue to interject too many questions not related to the malware issue at hand, you are only going to get confused as to what you need to do.
-------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?"
Microsoft MVP - Windows Security 2007-2009 |
|
|
|
|
Nov 19 2007, 01:00 PM
Post
#11
|
|
|
Member Group: Members Posts: 23 Joined: 25-April 05 From: Rhode Island Member No.: 18,140 |
I have gotten up to the Autoruns part, which I am doing now...
The only thing I can find related to "shell" is the first item listed...it has the registry symbol next to it: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell directly underneath it, there is an entry that says explorer.exe... is this the one I want to delete? I am about to perform the last step, which I hope removes the icons from my desktop, because nothing else has...I am also still getting a lot of messages from Sygate as to the blocking of an application: "NDIS User mode I/O Driver (file name ndisuio.sys) has been blocked from accessing the network"..and since I installed the firewall, which was either last night or this morning, I already have a ton of log entries....I am not trying to complicate matters, just presenting issues to you as they occur, I thought they may assist you in understanding my problem better...all that I have mentioned has been pertaining to the same problem--I already have HJT downloaded, and am ready to install, scan, and post if deemed necessary (of course in the appropriate forum only) I am not going to delete the only "shell" entry I could find yet, until I get word from you that it is okay to do...I am going to run ATF cleaner, and see how it goes |
|
|
|
|
Nov 19 2007, 02:18 PM
Post
#12
|
|
|
Bleepin' Janitor Group: Global Moderator Posts: 14,074 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513 |
Since you already have HijackThis, I think it would be easier to post a log for us to see exactly whats going on.
Post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day. Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team. Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?"
Microsoft MVP - Windows Security 2007-2009 |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 9th January 2009 - 01:31 AM |
© 2003-2008 All Rights Reserved Bleeping Computer LLC.