Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Serious Spyware/malware Infection


  • Please log in to reply
12 replies to this topic

#1 rjaccin

rjaccin

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:40 PM

Posted 28 November 2007 - 10:44 AM

Hi There,
I have a serious infection with multiple problems that may or may not be related, but shortly after the infection the CPU started running at 100% and slowed everything down to unusable. The virus started with pop ups telling me that I am infected and click the pop up to download software to remove it. I have a Dell and am running Windows XP Home version , I'm not sure what version, but I update regularly so I most likely have the service packs installed. Actually, a windows update was done a day or two before this infection.
These are some of the "files" in the pop ups: Trojan-Spy.win32@mx, Spyware.Cyberlog-x, pws.x-vir trojan.psw, Networm-i.virus@fp.
I had Norton AV and Webroot spyware running but did not catch them. I have downloaded AVG and used it as well as HJT and I realize I need to post the log here. I am working on that. The CPU now seems to be running normally to where I can use the machine again, but it would be easier if I can connect to the Net using it. I can not however connect to the internet when I open my browser IE5.
I get "can not find server" messages but a ping test ran fine and software tells me com port is fine. Something seems to be blocking the connection through the software.
Have you seen malware do this before?

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,261 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:40 PM

Posted 28 November 2007 - 12:38 PM

Install Super Antispyware free. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

How to Start Windows in Safe Mode:
http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

Post back with what SAS found.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:40 PM

Posted 28 November 2007 - 01:27 PM

Since you cannot use your Internet, you are going to need access to another computer (family member, friend, etc) with an Internet connection.

Please download the following programs and save to a USB stick or CD:
ATF Cleaner
SmitfraudFix by S!Ri
RogueRemover
SUPERAntiSpyware Free
SUPERAntiSpyware Free Definition files - (Be sure to download both the Core and Trace Definitions)
HijackThis Installer. This is HijackThis 2.0.2 but it is an automatic setup version which will install HJT in the proper location if we need to use it. DO NOT fix anything with HijackThis unless advised.

Print out the Smitfraudfix Instructions so you can follow along when we get to that part of the fix.

Transfer all these programs directly to the Desktop of the infected computer <- (Important!)

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Double-click smitfraudfix.exe to start the tool.
  • Select option #2 - Clean by typing 2 and press Enter to delete infected files.
  • Wait for the tool to complete and disk cleanup to finish.
  • You will be prompted: "Registry cleaning - Do you want to clean the registry?" Answer Yes by typing Y and press Enter.
  • The tool will now check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll.
  • Answer Yes to the question "Replace infected file?" by typing Y and press Enter.
  • A reboot may be needed to finish the cleaning process.
  • If your computer does not restart automatically, please do it yourself manually (restart normally).
  • A text file will appear onscreen with results from the cleaning process. It can also be found at the root of the system drive, C:\rapport.txt.
Double-click on rr-free-setup.exe to install in C:\Program Files\RogueRemover.
  • During the installation an icon will automatically be created on your Desktop.
  • Double-click on the RogueRemover icon to launch the program and select Check for Updates.
  • If prompted, click Download to receive the latest updates.
  • When completed, close the update window.
  • Select "Scan" and the program will walk you through the remaining steps.
Now double-click SUPERAntiSypware.exe and use the default settings for installation.
  • Navigate to the SUPERAntiSpyware folder in C:\Program Files and unzip both the Core and Trace defintion files.
  • An icon will have been created on your desktop. Double-click that icon to launch the program.
  • Under "General and Startup", make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.Do not run a scan just yet
  • Reboot in "Safe Mode using the F8 method and launch SUPERAntispyware.
  • In the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked to reboot, click "Yes".
  • If not, select Close to exit the program and reboot normally.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 rjaccin

rjaccin
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:40 PM

Posted 29 November 2007 - 07:28 AM

Thank you. I will perform the tasks you suggest. It may take a few days because I am not on that computer as often. Will all this give me back my connection?

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:40 PM

Posted 29 November 2007 - 09:38 AM

Sometimes it takes several efforts with different tools to do the job. Even then, with newer types of malware infections, the task can be arduous.

While your at it, also download and save WinSockFix in case we need it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 rjaccin

rjaccin
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:40 PM

Posted 30 November 2007 - 12:33 PM

Yes, and arduous is an understatement! I am experiencing problems that I shouldn't which increases the frustration level. I have another computer in the house that I can utilize for the downloads, however I am having issues with the USB memory sticks. One I recently purchased abruptly halts all operations requiring a hard reset. The other one seems to download, but after I transfered files to the infected computer they were corupted in some form or another and would not run. A DOS window quickly opened and closedThe only program that ran from the list you provided in post 3, was smitfraudfix. It didn't seem to fix the problem.
This will give you a good laugh, for some reason I can't even get to your website on the computer that works, so I print your instructions here at work and then hunt for the files that way. I will retry downloading the ATF, RR and SASF files and try to utilize those files to hopefully remedy my situation. I am close to dragging it to a repair facility.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:40 PM

Posted 30 November 2007 - 12:42 PM

If your having issues with your current usb stick, try another one or just download and save them to a CD. If I were in your situation, I would do both to save the trouble of running back and forth to work.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 rjaccin

rjaccin
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:40 PM

Posted 11 December 2007 - 06:48 AM

Thanks for your help. I think I'm making progress. SuperAnitSpyware found 79 object including 2 trojan files. The annoying pop-ups have stopped and the machine seems to be running properly now, however I can not get a conection to the internet or retrieve email. Every time I start IE, it opens up with a kukkakreck.com string and "page can not be found" message. I use Outlook Express as default and the error window comes up way to fast. I'm almost there....
I ran the WinSockFix as well. Is there a particular registry key that may have been corrupted that I can turn back on?

Edited by rjaccin, 11 December 2007 - 06:53 AM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:40 PM

Posted 11 December 2007 - 10:56 AM

If your having connectivity issues or errors such as Page cannot be displayed see:
"It's not always malware: How to fix the top 10 Internet Explorer issues"

Try resetting the IP address:
Go to Start > Run and type: cmd
Press OK or Hit Enter. A dos Window will appear.
At the commmand prompt type or copy/paste:: ipconfig /release
Hit Enter.
When the prompt comes back, type: ipconfig /renew
Hit Enter.
Close the command box and and see if that fixes the connection. No reboot needed.

Most Internet connectivity problems arise out of corrupt Winsock settings due to the installation of a networking software or Malware infestation. Check with your ISP provider first and if they insist that your connection is coming through, the problem must be at your end.

If your using Windows XP SP2, log on as an administrator.
Go to Start > Run and type: cmd
Press OK or Hit Enter. A dos Window will appear.
At the command prompt, type or copy/paste: netsh winsock reset
Hit Enter.
When the program is finished, you will receive the message: "Successfully reset the Winsock Catalog. You must restart the machine in order to complete the reset."
Close the command box and reboot your computer.

Go to Start > Run > type: cmd
Press OK or Hit Enter.
At the command prompt, type or copy/paste: ipconfig /flushdns
Hit Enter.
Close the command box.

If your still having problems, Configure TCP/IP to use DNS. Go to Start > Control Panel, and choose Network Connections.
Right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and and choose Properties.
Double-click on the Internet Protocol (TCP/IP) item.
Select the radio button that says "Obtain DNS servers automatically".
Click OK twice to get out of the properties screen and restart your computer.

CAUTION: It is possible that your Internet Service Provider requires specific settings here. Make sure you know if you need specific DNS settings here or not before you make these changes or you may lose your internet connection. If you are sure you do not need a specific DNS address, you may proceed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 rjaccin

rjaccin
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:40 PM

Posted 14 December 2007 - 06:45 AM

I released, reset and flushed, but still no connection. I did not get to the point of configuring the TCP/IP to use DNS. I also read the IE top ten tips and tried altering the host file, but that only brought me to a point where the machine now hangs and I can do nothing. Just when I thought progress was made, I move back two steps. I feel like I'm swimming in a pool full of Jell-O.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:40 PM

Posted 14 December 2007 - 07:09 AM

I can not however connect to the internet when I open my browser IE5...a ping test ran fine and software tells me com port is fine

Any reason you have not updated to IE6 or IE7? If its a software problem with IE5, then updating may resolve it.

tried altering the host file, but that only brought me to a point where the machine now hangs and I can do nothing

Download HostsXpert - Hosts File Manager
  • Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to start the program.
  • When the program opens, click the "Restore MS Hosts File" button in the left pane.
  • Click "Make Hosts Writable?" (if available).
  • Click "Restore Microsoft's Hosts file" when prompted and then click "OK".
  • Exit Hoster when done.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Another thing you can try is LSPFix.
Be sure to print out and follow the instructions provided in the Using LSP-Fix Tutorial[/color].

I had Norton AV and...I have downloaded AVG

Are you using two anti-virus programs? If so, you need to remove one of them because using two can cause all sorts of other conflicts & problems.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 rjaccin

rjaccin
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:40 PM

Posted 02 January 2008 - 08:14 AM

Norton Stinks!!!
It turns out that Norton Internet AV was the culpret. When I uninstalled it, my internet connection was restored and cpu usage decreased to normal levels. I had reached a point where I was ready to wipe the disc and start over, however this is no longer the case.
I am not out of the woods though. After Norton removal, I performed more scans with AVG and more infected files turn up in restore and temp internet files. I have updated the database, the computer is running good now and I will keep scannig regularly.
I don't feel good about having viruses still on my machine. What should I do with the infected files that are in the virus vault? AVG say it uses them for reference. If I delete them they have no chance of being restored, but I would not want to hamper the program. Your advice?
I would also like to thank you for all your help and let you know that it's good that poeple like you and these sites are out there to combat those idiots who devise this destructive software just for kicks.
Thank you.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:40 PM

Posted 02 January 2008 - 08:38 AM

When an anti-virus quarantines a file by moving it into a virus vault (chest), that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it. One reason for doing this is to prevent deletion of a crucial file that may have been flagged as a "False Positive". If that is the case, then you can restore the file. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure. When the quarantined file is known to be bad, you can delete it at any time.

"Understanding AVG7 Free Virus Vault"
"AVG FAQ #647: I have some files in the AVG Virus Vault. What next?"

Keep in mind, however, that if these files are left in quarantine, other scanning programs and security tools may flag them while in the quarantined area.

If you are not sure about files in quarantine, investigate each one with a Google search or use the BC's File Database to determine what they are.

If you suspect a file to be a false positive. Test the file at [virusscan.jotti.org] and if it is a false positive, archive (zip, arc, tar etc) the file using a password and email a copy to virus@grisoft.com with a brief description as well as the password you used to archive it with.

If it is a false positive , turn off heuristic scanning for the time being. When Grisoft adjusts the virus definitions you can turn it back on. If turning off Heuristics still doesn't allow access to the file while testing and emailing... disable the resident shield temporarily.

forum.grisoft: instructions for suspected FP's
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users