Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected W/ Virtumonde...


  • Please log in to reply
11 replies to this topic

#1 JWUequine08

JWUequine08

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Rhode Island
  • Local time:12:11 AM

Posted 19 November 2007 - 01:13 AM

I am running Windows XP on my Sony Vaio...and boy, do we have some issues...

It all started when I downloaded a program...my gut told me not to do it...I should have listened.

****Here are my main symptoms:

-Began w/ random audio clips being played (even a commercial for Twix...?!) and random internet page pop-unders,...THEN, the fun really began...

-The fake error notices started popping up=fake error ballons in the task bar, fake error windows...I don't even know what is real or fake anymore, so I don't click anything (actually, never have, isn't that the way you activate a lot of these things?)

- I have new desktop icons appearing...some are for "casinos" or"hot dates"...neither of which I need and/or want, btw...the others are imposters of the traditional Windows "sheild" icons...except these two are blue and green...both say something about internet security center or something...they are both located in my start menu, and both link to this website, kukka or something like that (as I said before, no I do not click on these things, I checked their origin by right clicking and checking the properties label...smart huh? I hope sooo...)

- In addition to my newly acquired desktop icons, the icons and taskbar also like to do a disappearing act...and usually upon startup, I have the message on my desktop about "restore active desktop"...which I did click...but am now regretting, because it probably is fake too...


****Here is what I have done to TRY to fix the problem (obviously unsuccessfully):


1. I have downloaded and run Ad-Aware 2007, deleting what it finds, restarting after each time, until nothng is found

2. I downloaded and run Spybot, until nothing was found...each time, however, it is not long until ether one of these programs (Ad Aware and S+D) detects something again...I also have a question about Spybot--I sit there for a few minutes trying to decide on whether to allow some changes, or deny them...how do you know? There are so many popping up sometimes, and I don't want to do the wrong thing!

3. I downloaded Stinger, which I ran once....at this point, it becomes blurry because I am really getting frustrated...it takes me so long to even start up the laptop, and when I tried to shut it down today, it just kept telling me to contact an admin, that I was not authorized or something like that...

4. Another thing I did was update and scan with my Trend Micro, and installed SpySweeper...noth detected the problems, and claimed to fix them, but I am still having serious issues that are only getting worse, and those pesky desktop icons are still there...I will try to update my Java tomorrow, but that will not solve the problem by itself, right?


So, with that said, here are my questions:

1. How do you know if a problem is beyond help and needs to be taken to a professional...I am seeing on the spybot alerts a lot of registry and startup changes...
2. How hard is this going to be if I do it myself? I am decent with computers, but definitely not with viruses, I have never come across this before
3. Can the virus do its "dirty work" while my computer is off? Oh God please say no...

FYI...I am coming to you via my parent's laptop right now, because I do not even want to turn mine on...it turns my stomach to see it infiltrated like that
PLEASE HELP ME!!!!!!!!

Edited by JWUequine08, 19 November 2007 - 01:18 AM.


BC AdBot (Login to Remove)

 


#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 19 November 2007 - 03:17 AM

try this little gem

http://www.superantispyware.com/

you want the free version home users

fully update it ,suggest reboot into safe mode and run it on a full deep scan ; see what garbage it reports :thumbsup:

what DID stinger flag up?

and do you have the latest version of it (sept 07)

and your antivirus program is??what?

and other protection on there?

maybe a lesson to be learnt from this ; if in doubt DO NOT CLICK!!!!

(of interest, may we know which program you DID download please?)

also is system restore enabled at present ?

#3 JWUequine08

JWUequine08
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Rhode Island
  • Local time:12:11 AM

Posted 19 November 2007 - 09:57 AM

try this little gem

http://www.superantispyware.com/

you want the free version home users

fully update it ,suggest reboot into safe mode and run it on a full deep scan ; see what garbage it reports :flowers:

what DID stinger flag up?

and do you have the latest version of it (sept 07)

and your antivirus program is??what?

and other protection on there?

maybe a lesson to be learnt from this ; if in doubt DO NOT CLICK!!!!

(of interest, may we know which program you DID download please?)

also is system restore enabled at present ?




okay, here are the answers to your questions:

-I ran super antispyware previously, and it did find some things, but I do not know exactly what-I di know that the problems stil persisted though...I am running it again as we speak

-STINGER: yes, i have the latest version...am I supposed to run this in sfae mode as well?...I figured that I would run it right after I do super antispyware, since I am already in safe mode, and it takes my computer FOREVER to boot up...

I will report the results of the above after they are completed...

-ANTIVIRUS: Trend Micro

-other protection: added SpySweeper (product by webroot) AFTER the infection

-yes, do not ever click on anything! I have always prided myself in being a non-clicker lol...even with the occasional pop up, I would never click the X, because if it is a popup, the X does not actually get rid of it, just activiates it..but I don't ned to tell YOU that lol

-the program I d/l was Xara Xtreme, a 30 day trial...my problem was that I got it P2P off of ARES...bad, bad thing, I know :thumbsup:

-as per many suggestions I have seen on here, I have disabled system restore...
__________________________________________________________________________________________________________________________________


so, now that my laptop is up and running while being scanned (I am on the other laptop right now), I figured it was a good time to give some of the exact descriptions of some of the messages I am getting:

some of the more recent ones are pertaining to files, these usually turn up upon startup, and the description sounds to me like something is trying to access this file, and I assure you, it is not me...lol...

"C:\WINDOWS\shell.exe:
Windows cannot find 'C:\WINDOWS\shell.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

maybe I made the wrong decision when allowing or denying something Spybot brought up? Was this file deleted by accident? Do I need it? I get the same message with another file name, but it is not up right now, so I do not remember what it is...heck, I'm not even sure that this is a system message!

The messages I definitely KNOW to be fake are bubbles popping up from my taskbar (complete with blinking yellow triangle ! sign)...and another few that pop up in windows telling me to click here to get the latest "anti spyware blah blah blah"...rigggght, let me click there, great idea...I mean come on

OH! and another I just remembered is my newly aquired toolbar....SECURITY TOOLBAR 7.1...also, when online (which I try to avoid), if I am looking at a page, a new window pops up and starts to go to that website...let me see if I can get the address...here: kukkakreck.com/ceph,oin/?cmp=h5lid=1_.....that is all I can see from the properties tab, that is from the icons on my desktop, but I think when I am redirected to a new window, that is the exact site it tries to bring me to

I also have 2 new notepad icons on my desktop, labeled hs_err_pid1132 and hs_err_pid2764...I have not touched these, I do not know what they contain...

I will post the results of my super antispyware and stinger scans momentarily, I am very sorry this is a ton of information for whoever has to decifer...If I can help in any way to make it easier, please let me know! I look forward to hearing from someone...ANYONE!...::sigh::

#4 JWUequine08

JWUequine08
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Rhode Island
  • Local time:12:11 AM

Posted 19 November 2007 - 10:21 AM

okay, super anti spyware just finished...here is what it found:

in my files:

Adaware Tracking Cookies:
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@19452074[2].txt

C:\Documents and Settings\Elizabeth\Cookies\elizabeth@doubleclick[1].txt

C:\Documents and Settings\Elizabeth\Cookies\elizabeth@login.tracking101[2].txt

C:\Documents and Settings\Elizabeth\Cookies\elizabeth@sexbuddies[2].txt - ahem...perhaps the most disturbing one yet

Trace Known Threat Sources:Files:

C:\Documents and Settings\Elizabeth\Cookies\Local Settings\Temporary Intetnet Files\Content.IE5\5BIXJ622\rd-fakeout2-720x300[1].gif
Is that one of the fake alerts I am getting?

Off to run Stinger now...

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:11 AM

Posted 19 November 2007 - 10:27 AM

Infected W/ Virtumonde...,

Did you follow the the instructions for using Vundofix in BC's self-help tutorial: "How To Remove Vundo/Winfixer Infection"?

my newly aquired toolbar....SECURITY TOOLBAR 7.1

This is more malware. Please print out and follow the generic instructions for using SmitfraudFix in BC's self-help tutorial "How to remove the Smitfraud/Generic Zlob".
(scroll down to where it says Removal Instructions; ignore the part that shows symptoms in a HijackThis log as they will not apply your case.)
If you have downloaded SmitfraudFix previously, please delete that version and download it again as the tool is frequently updated!

shell.exe = W32/Mytob-CA worm.

From what you describe in regards to the error message, the file is probably an orphaned entry related this malware that was set to run at startup. Windows is trying to load this file but cannot locate it since the file may have been removed during an anti-virus scan, the uninstall of a program or use of a specialized fix tool. However, an associated registry entry remains and is telling Windows to load the file when you boot up.

When Windows loads, it looks for any files associated with registry entries for programs that are set to run at startup. If the file was removed but not the registry entry, Windows will display an error message indicating that the file was not found. You need to remove this registry entry so Windows stops searching for the program when it loads.

To resolve this download and run Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns and extract (unzip) the file there. (click here if your not sure how to do this.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file you need to remove.
  • Right-click on the file and choose delete.
  • Reboot your computer and see if the startup error returns.
Why scan in safe mode: The Windows operating system protects files when they are being accessed by an application or a program. Malware writers create programs that can insert itself and hide in these protected areas when the files are being used. Using "Safe Mode" to perform your scans reduces the number of modules requesting files to only the essentials to make your computer functional. This in turn reduces the number of hiding places for malware, making it easier to find and delete the offending files when performing scans with anti-virus and anti-malware tools.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:11 AM

Posted 19 November 2007 - 10:29 AM

Your previous post I did not see when posting my reply.

When done with the above, do this:

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 JWUequine08

JWUequine08
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Rhode Island
  • Local time:12:11 AM

Posted 19 November 2007 - 10:31 AM

ok great, I will try exactly what you said...

I do have a questions about Spybot, though...HOW do I know what to allow and what to deny? I just don't want to make any mistakes allowing something I don't want, or denying something I DO want...does this program only alert me to harmful things, so I can just deny everything? I am very confused about this

and, when I start up, I get the message about not being connected to the internet, and to work offline, or try again..i currently have my wireless off so it cannot connect without me knowing, but I have never gotten this message before this...not all the time anyway, maybe once in a great while

Edited by JWUequine08, 19 November 2007 - 10:33 AM.


#8 JWUequine08

JWUequine08
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Rhode Island
  • Local time:12:11 AM

Posted 19 November 2007 - 10:34 AM

answered my own question on this one :thumbsup:

Edited by JWUequine08, 19 November 2007 - 10:40 AM.


#9 JWUequine08

JWUequine08
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Rhode Island
  • Local time:12:11 AM

Posted 19 November 2007 - 10:38 AM

woah, I am so sorry for alllll the replies....but NOW, I just installed sygate firewall, and am getting requests for internet access (I turned on the connection so I could update my Virus software...again)...I really have a hard time deciding what to allow...are there some kind of guidelines somewhere for this kind of thing (in addition to spybot also?)??

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:11 AM

Posted 19 November 2007 - 10:42 AM

Follow the instructions I provided in post #5 and also run ATFCleaner as advised in post #6. Don't worry about what to allow or deny with Spybot or your firewall right now. Clean your system of the malware. If you continue to interject too many questions not related to the malware issue at hand, you are only going to get confused as to what you need to do.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 JWUequine08

JWUequine08
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Rhode Island
  • Local time:12:11 AM

Posted 19 November 2007 - 01:00 PM

I have gotten up to the Autoruns part, which I am doing now...

The only thing I can find related to "shell" is the first item listed...it has the registry symbol next to it: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

directly underneath it, there is an entry that says explorer.exe...

is this the one I want to delete?

I am about to perform the last step, which I hope removes the icons from my desktop, because nothing else has...I am also still getting a lot of messages from Sygate as to the blocking of an application: "NDIS User mode I/O Driver (file name ndisuio.sys) has been blocked from accessing the network"..and since I installed the firewall, which was either last night or this morning, I already have a ton of log entries....I am not trying to complicate matters, just presenting issues to you as they occur, I thought they may assist you in understanding my problem better...all that I have mentioned has been pertaining to the same problem--I already have HJT downloaded, and am ready to install, scan, and post if deemed necessary (of course in the appropriate forum only)

I am not going to delete the only "shell" entry I could find yet, until I get word from you that it is okay to do...I am going to run ATF cleaner, and see how it goes

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:11 AM

Posted 19 November 2007 - 02:18 PM

Since you already have HijackThis, I think it would be easier to post a log for us to see exactly whats going on.

Post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users