Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Have Malware Infestation-- Sudden Onset


  • Please log in to reply
11 replies to this topic

#1 Quakrt

Quakrt

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 06 February 2008 - 10:00 AM

I have never had such a problem. I was surfing when suddenly yesterday got many pop ups. Then, my desktop icons and taskbar started disappearing. They would go off and a "media" control bar (which I never saw before) popped up on the taskbar, then all the icons would reappear and keep disappearing. When I try to boot in safe mode, I still can't get a desktop to function. I have to open programs through taskmanager.

I have run Adaware Pro many times, and it has found multiple malwares including Small. But, not when I try to delete it, I get a blue screen of death which says something like: "The Windows Logon Process system process terminated unexpectedly with a status of (machine code). The system has been shut down."

I have also run spybot serach and destroy which got rid of a few things. Norton AV was useless. Windows malware tool detected nothing.

This is the best site I have found-- please let me know what I should do next!

Thanks,
Q

BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:36 PM

Posted 06 February 2008 - 02:14 PM

Hello and welcome Quakrt, let's start here

Download Attribune's ATF Cleaner and then SUPERAntiSpyware, Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program.
DO NOT run yet.

Now reboot into Safe Mode: How to start Windows in Safe Mode
Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox or the Opera browser click on that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply
.Click Close to exit the program.

Please ask any needed questions,post the log and Let us know how thePC is working now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Quakrt

Quakrt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 06 February 2008 - 04:33 PM

Thank you very much-- I'll try to do this. One problem is I have no access to desktop icons. Hopefully, I will be able to open Firefox through task manager and download the applications, and then open them through task manager.

This is really, really a pernicious attack. It has wiped out my ability to basically use the machine. I think it has also set up an administrator log on. Finally, it crashes the machine when I try to get rid of it. I am typing now on a clean desktop.

I will try these steps and report back,
THANK YOU!!

#4 Quakrt

Quakrt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 06 February 2008 - 08:04 PM

My computer works again!! Many thanks for your help. Below is the log file. My computer boots up so far and has a desktop again. Superspyware found 42 threats (compared to Norton :0, Windows Malware: 0, Adaware:12, Spybot: 4 or 5).
Superspybot found 6 different trojans, a total of 42 threats (shudder).

Do you think all the trojans and so forth are gone?
Again, THANKS, is there a way to donate?

Here is log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/06/2008 at 07:32 PM

Application Version : 3.9.1008

Core Rules Database Version : 3396
Trace Rules Database Version: 1388

Scan type : Complete Scan
Total Scan Time : 02:36:09

Memory items scanned : 172
Memory threats detected : 2
Registry items scanned : 6371
Registry threats detected : 15
File items scanned : 79924
File threats detected : 25

Trojan.Unclassifed/AffiliateBundle
C:\WINDOWS\SYSTEM32\PMNMNKH.DLL
C:\WINDOWS\SYSTEM32\PMNMNKH.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E180F496-8A4B-44E2-9FE0-0364E345DB7F}
HKCR\CLSID\{E180F496-8A4B-44E2-9FE0-0364E345DB7F}
HKCR\CLSID\{E180F496-8A4B-44E2-9FE0-0364E345DB7F}\InprocServer32
HKCR\CLSID\{E180F496-8A4B-44E2-9FE0-0364E345DB7F}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{E180F496-8A4B-44E2-9FE0-0364E345DB7F}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\pmnmnkh
C:\WINDOWS\SYSTEM32\RQRRSST.DLL

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\KHHHI.DLL
C:\WINDOWS\SYSTEM32\KHHHI.DLL

Trojan.Downloader-Gen/MROFIN
[runner1] C:\WINDOWS\MROFINU572.EXE
C:\WINDOWS\MROFINU572.EXE
C:\WINDOWS\MROFINU572.EXE.TMP
C:\WINDOWS\Prefetch\MROFINU572.EXE-27C51A6D.pf

Adware.ClickSpring
[Sen] C:\WINDOWS\STEM32~1\USERINIT.EXE
C:\WINDOWS\STEM32~1\USERINIT.EXE
C:\WINDOWS\Prefetch\USERINIT.EXE-39F7F075.pf

Adware.StarsDoor
[Drmupgds] C:\PROGRAM FILES\DRMUPGDS\DRMUPGDS.EXE
C:\PROGRAM FILES\DRMUPGDS\DRMUPGDS.EXE
C:\WINDOWS\Prefetch\DRMUPGDS.EXE-02F6DE9B.pf

Adware.Vundo-Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0F8DB660-2C39-4C5A-83EE-8E725CBE2EFE}
HKCR\CLSID\{0F8DB660-2C39-4C5A-83EE-8E725CBE2EFE}
HKCR\CLSID\{0F8DB660-2C39-4C5A-83EE-8E725CBE2EFE}\InprocServer32
HKCR\CLSID\{0F8DB660-2C39-4C5A-83EE-8E725CBE2EFE}\InprocServer32#ThreadingModel

Adware.Tracking Cookie
C:\Documents and Settings\Bo\Cookies\bo@atdmt[2].txt
C:\Documents and Settings\Bo\Cookies\bo@gomyhit[1].txt
C:\Documents and Settings\Bo\Cookies\bo@ex=1_[2].txt
C:\Documents and Settings\Bo\Cookies\bo@rightmedia[1].txt
C:\Documents and Settings\Bo\Cookies\bo@dist.belnk[2].txt
C:\Documents and Settings\Bo\Cookies\bo@ad.outerinfoads[2].txt
C:\Documents and Settings\Bo\Cookies\bo@288_[3].txt
C:\Documents and Settings\Bo\Cookies\bo@288_[2].txt
C:\Documents and Settings\Bo\Cookies\bo@cgi-bin[2].txt
C:\Documents and Settings\Bo\Cookies\bo@ads.mm.ap[1].txt
C:\Documents and Settings\Bo\Cookies\bo@trustedantivirus[1].txt
C:\Documents and Settings\Bo\Cookies\bo@ads.cnn[1].txt
C:\Documents and Settings\Bo\Cookies\bo@finder-sprint-family[1].txt

Trojan.Downloader-Gen/RetAd
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#runner1 [ C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139 ]

Adware.VXGame-Trace
HKU\S-1-5-21-117998014-2059527890-944171104-1006\Software\kernelexe

Trojan.Downloader-Gen/Bundle Installer
C:\WINDOWS\B122.EXE

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\IHHHK.INI

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:36 PM

Posted 06 February 2008 - 08:22 PM

You are welcome. I would recommend you scan it again with the SAS. Also run an online scan with ESET Online Scanner and Panda ActiveScan?. Let us know if anything else was found. Post back the last SAS `scan log. As there are a couple last steps.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Quakrt

Quakrt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 07 February 2008 - 07:58 AM

Here is the second superantispyware scan. It is down to five items. I still must have a problem because I am getting outerinfo popups. What is strange is I am using firefox but they are appearing in IE mini windows. I have never had popups before :thumbsup:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/07/2008 at 01:21 AM

Application Version : 3.9.1008

Core Rules Database Version : 3396
Trace Rules Database Version: 1388

Scan type : Complete Scan
Total Scan Time : 02:35:43

Memory items scanned : 172
Memory threats detected : 0
Registry items scanned : 6366
Registry threats detected : 0
File items scanned : 80093
File threats detected : 5

Adware.Tracking Cookie
C:\Documents and Settings\Bo\Cookies\bo@doubleclick[1].txt
C:\Documents and Settings\Bo\Cookies\bo@ad.outerinfoads[1].txt
C:\Documents and Settings\Bo\Cookies\bo@ad.yieldmanager[2].txt

Adware.ClickSpring
C:\DOCUMENTS AND SETTINGS\BO\LOCAL SETTINGS\TEMP\!UPDATE.EXE
C:\DOCUMENTS AND SETTINGS\BO\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\EXYBOPQ9\!UPDATE-4495[1].0000

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:36 PM

Posted 07 February 2008 - 11:30 AM

Let's runthis: download Dr.Web CureIt & save it to your desktop. Boot into Safe Mode and run.

Double-click on cureit.exe to start the program. (ignore any prompts to update or check for a new version)
When the Dr.Web opens, an "Express Scan of your PC" notice will appear.
Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan tab" and UNcheck "Heuristic analysis"
Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)

Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
When done, a message will be displayed at the bottom advising if any viruses were found.
Click "Yes to all" if it asks if you want to cure/move the file.
When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
Save the DrWeb.csv report to your desktop. (You can use Notepad to open the DrWeb.cvs report)
Exit Dr.Web Cureit when done.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Quakrt

Quakrt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 07 February 2008 - 04:36 PM

Drwebit found more. What was strange was while it was operating, Norton anti-virus went off and reported new threats. Was this caused by Dr Webit?

Here is the log:
A0010692.exe\data002;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP79\A0010692.exe;Adware.MediaTicket.origin;;
A0010692.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP79;Archive contains infected objects;Moved.;
A0010693.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP79;Adware.Outer;Incurable.Moved.;
A0012940.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP81;Trojan.Winpop.origin;Incurable.Moved.;
A0012941.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP81;Adware.Outer;Incurable.Moved.;
A0012942.exe\data002;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP81\A0012942.exe;Adware.MediaTicket.origin;;
A0012942.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP81;Archive contains infected objects;Moved.;
A0012996.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP83;Adware.MediaTicket.origin;Incurable.Moved.;
A0012997.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP83;Trojan.Stars.origin;Incurable.Moved.;
A0014030.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP83;Trojan.DownLoader.45540;Deleted.;

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:36 PM

Posted 07 February 2008 - 04:40 PM

You still get Pop Ups?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Quakrt

Quakrt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 07 February 2008 - 06:08 PM

Not yet-- lets watch and see!
Can you explain why so many of the standard programs (Ad-aware professional, Spybot S&D) do not detect all these infestations? If you are too busy it is ok.
I will post again if I get pop-ups.
Thanks very much!

#11 Quakrt

Quakrt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 07 February 2008 - 07:17 PM

Outerinfo pop up ads are back :thumbsup:

They show up as separate, IE windows EVEN WHEN I am using Firefox.

Why won't these things die?

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:36 PM

Posted 07 February 2008 - 09:27 PM

Well you're going to need to use a couple specialized tools with supervision. So let the HJT Team experts take you thru this and it will be gone. Follow these instructions , you can skip to step 9 now. Preparation Guide for use before posting a HijackThis Log . Post that log HERE by clicking New Topic and giving it a title like 'Outerinfo'. They are very busy so it may take a couple days to get a response. That is why I try to cure it here first. Once you post the log do not make any changes to your PC until the Team contacts you. I can be reached via PM.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users