Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fairly Nasty Spyware/virus Infection.


  • Please log in to reply
11 replies to this topic

#1 skweebl

skweebl

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 21 November 2007 - 10:14 PM

I wiped my computer the other day to reinstall windows, and made the huge mistake of venturing out into the untamed internet without fully updating windows and protecting myself. Now I've gone and caught myself some pretty bad spyware, and it doesn't seem to want to stay gone.


It started as a fake antispyware tool that installed itself with no chance to cancel the process. After this happened, I updated windows as much as it would allow and ran ad-aware, spybot search & destroy, and an AVG antivirus scan. All 3 programs found, and removed, various trojans, and AVG stopped giving me warnings. However, each time I start up my computer, I get a virus warning which AVG seems to take care of. Under my process list, there are several instances of Internet Explorer running at once, sometimes taking up very large amounts of memory. I also randomly hear the small "click" sound IE makes when you click a link. Furthermore, I'll randomly hear ads for various things playing in the background of my computer. There's no video, and no browser windows open I can see.


It's really starting to frustrate me. I haven't noticed a significant drop in performance, but it bothers me knowing it's even there, sending who knows what information to God knows who... All I've done is run AVG and Spybot scans a few times, each time picking up (and supposedly removing) new trojans.


Please help! I'm at a loss for what to do! Any insight as to how to fix this would be much appreciated.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,537 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:01 PM

Posted 21 November 2007 - 10:23 PM

Did you get a name for the rogue app eg Ultimate defender,spyware sherrif etc...

What is your OS,XP,Vista etc

Edited by boopme, 21 November 2007 - 10:24 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 skweebl

skweebl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 21 November 2007 - 10:37 PM

I don't remember the exact name. I wish I could tell you. Another note about it was that it came with an uninstaller, but after I uninstalled it, it immediately reinstalled itself. It was one of those fake programs that showed my computer being more infected than it really is, and tries to scam me into buying the full version. I didn't click on any links it gave me, of course. I wasn't going to fall for it, and I didn't want to make matters worse.


My OS is Windows XP.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,953 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:01 PM

Posted 21 November 2007 - 10:51 PM

If you do a Google search for multiple instances of iexplore.exe running in Task Manager, you will find numerous complaints with various causes and possible solutions. This problem could be malware or non-malware related. There are worms like W32/Lovgate-AD that will cause the same problem you are experiencing. In addition to other files it drops iexplore.exe in C:\Windows\system32. One of the ways that malware tries to hide is to give itself the same name as a critical system file like iexplore.exe. However, it then places itself in a different location on your computer. The legit iexplore.exe is located in the C:\Program Files\Internet Explorer folder. Also make sure of the spelling. If it is iexplorer.exe, then this a malware.

You can download and use Process Explorer or Glarysoft Process Manager to investigate all running processes and gather additional information to identify and resolve problems. These tools will show the process CPU usage, a description and its path location. If you right-click on the file in question and select properties, you will see more details about the file.

Are you getting any fake alerts prompting you to download some program or advising you are infected?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 skweebl

skweebl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 21 November 2007 - 11:17 PM

No, not since the initial infection have I gotten any windows opening asking me to buy fake software. No pop-ups at all, actually. The problems seem to vary a lot, as if I have one nasty thing hidden somewhere that's downloading a variety of malware to my machine. In fact, when AVG does find something, it's usually named "Trojan.generic.downloader" or something similar.


The only programs that are popping up with infection notices are AVG and Spybot S&D. I rebooted my computer, and there were 3 instances of iexplore.exe. Process Explorer seems to show that they're legit, but I find it odd that they're even there when I haven't opened IE. I use firefox for browsing.


Just now as I was typing this, I looked at the Process Explorer window to double check, and iexplore.exe started taking up a ton of processing speed, and several other process opened up in the tree under it, disappearing too quickly for me to get a good look at the names, then got an error message saying Internet Explorer had to be closed. I'm sorry I can't be any more specific than that. :thumbsup:


After rebooting, I didn't get the usual trojan alert from AVG. This is the first time Internet explorer has had an error, though. Is it natural to hear the IE link clicking sound in the background without having any IE windows open? I've never paid attention to it before.

Edit: I'm doing another Spybot scan. Hopefully I can give you some better information =)

Edited by skweebl, 21 November 2007 - 11:25 PM.


#6 skweebl

skweebl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 22 November 2007 - 12:24 AM

Hey again. Spybot finished scanning and found something called "PWS.LDPinchIE". It removed it. I rebooted and AVG said "backdoor.generic7.xxd" was found. This is what it's found each and every time I reboot, even after healing. I just never took note of the name until this time. Is there -any- other information I can provide that will help? I really want to get this fixed.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,953 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:01 PM

Posted 22 November 2007 - 07:43 AM

Can you provide the specific location (file path), your scans are finding these threats?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 skweebl

skweebl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 22 November 2007 - 04:38 PM

Sorry for the much delayed response. Thanksgiving day. Kinda busy, you know? :thumbsup: I didn't take note of the location. I'm going to do another scan to see if it picks it up again and try to get you a file path of where all this stuff is. It usually gets a thing or two each time.

#9 skweebl

skweebl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 22 November 2007 - 05:13 PM

Alright, did another scan. Here's what Spybot found. I hope this is more useful!


PWS.LDPinchIE: [SBI $0AE51F6A] Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Runtime

PWS.LDPinchIE: [SBI $339DB22A] Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Runtime


Win32.Murlo.ff.rtk: [SBI $DBD08A4A] Autorun settings (startdrv)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
startdrv

Win32.Murlo.ff.rtk: [SBI $DBD08A4A] Program file
C:\WINDOWS\Temp\startdrv.exe

This is similar to what it usually finds, sometimes with small variations in the name. AVG also warned me a few times about startdrv.exe, calling it "downloader.agent.14.c". I clicked heal each time, but it kept coming back immediately afterwards.

=)

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,953 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:01 PM

Posted 22 November 2007 - 05:51 PM

One or more of the identified infections is a backdoor Trojan. Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge. Read the Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect your computer from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.

Although the backdoor Trojan has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS - "When should I re-format?".

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download SDFix by AndyManchesta and save it to your desktop.
alternate download
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy and paste the contents of the results file Report.txt in your next reply.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 skweebl

skweebl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 22 November 2007 - 07:25 PM

I didn't realize it was so serious. I JUST got done reformatting my computer, too. What an annoyance. I think I'll just reformat again, before it becomes even more of a problem. I don't want to take any chances, and since I haven't had the chance to reinstall a whole lot of my stuff and such, now would be a good time to do that before I have a whole lot to lose.

Not a whole lot of sensitive information goes through this computer, but I want to be on the very safe side of things.

Thanks for the info, it's much appreciated!


Edit: Again, I'm grateful for the help. I went ahead and reinstalled Windows. Didn't lose anything, really, since I only reformatted a couple days ago, so no harm was done. My problem is fixed now, so if you close resolved topics, you can go ahead and close this one! I would have done the things you said in your post, but I wanted to be done with it for good.


See you around!

Edited by skweebl, 22 November 2007 - 09:55 PM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,953 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:01 PM

Posted 23 November 2007 - 06:42 AM

Your welcome.

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"The Ten Most Dangerous Things Users Do Online".
"The 10 Biggest Security Risks".
"Hardening Windows Security - Part 1" and "Hardening Windows Security - Part 2".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users