Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Sypware Trojan Win-32@mx


  • This topic is locked This topic is locked
8 replies to this topic

#1 pocoloo

pocoloo

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 23 February 2008 - 04:34 PM

I have a virus I can't get rid of. I am using Windows XP 2002 Service Pack 2.


It is also sending a message that it is also infected with SPYWARE TROJAN WIN 32@MX.

Message; Your Computer is infected with a back door trojan that allowa the remote attacker to perform various malicious actions. Click this baloon to download malware removal.

My home page is also being changed.


Can anyone help me with this please??????

BC AdBot (Login to Remove)

 


#2 t3s

t3s

  • Members
  • 628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere in MD
  • Local time:11:51 PM

Posted 23 February 2008 - 04:59 PM

Hello Pocoloo and welcome to bleepingcomputer.

Please start here and follow all instructions as failure to do so can/will only impair our ability to help you.


“Technology does not drive change -- it enables change.”
-Unknown

 

"I'm a cannibal... I eat Crackers"

 

Hacker != Cracker

 

website is down until further notice. . . . 


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:51 AM

Posted 23 February 2008 - 10:50 PM

If your using Win XP or 2000, do this:

Please print out and follow the generic instructions for using "SmitfraudFix". Make sure you scroll down to Clean and perform the steps where you reboot in "Safe Mode" and run option #2.
-- If you have downloaded SmitfraudFix previously, please delete that version and download it again as the tool is frequently updated!
-- If the tool fails to launch from the Desktop, please move smitfraudFix.exe to the root of the system drive (usually C:\), and run it from there.

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 pocoloo

pocoloo
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 24 February 2008 - 02:52 PM

I have followed the instructions and the problems seems to have cleared up!
This is the results from the Scan Log.

Thank you guys so very, very much. I really appreciate this!!

Is there anything else that I need to do, I notice that there are still some registry threats detected?


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/24/2008 at 02:24 PM

Application Version : 3.9.1008

Core Rules Database Version : 3408
Trace Rules Database Version: 1400

Scan type : Complete Scan
Total Scan Time : 01:11:52

Memory items scanned : 162
Memory threats detected : 0
Registry items scanned : 5151
Registry threats detected : 20
File items scanned : 30843
File threats detected : 0

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C566C34-7D72-4DC1-9BBE-1121A76698F8}

Rogue.AntiSpyKit
HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}
HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\AuxUserType
HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\AuxUserType\2
HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\AuxUserType\3
HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\dIFbbcebusE
HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\ffegnGBjgjZ
HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\hYyxmqHlszzf
HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\InprocHandler32
HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\jlbgiOR
HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\LocalServer32
HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\LocalServer32#LocalServer32
HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\octzksr
HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\ProgID
HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\sabzhdvdCycs
HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\UJZUZBi
HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\Verb
HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\Verb\0
HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\Verb\1
HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\Verb\2




THANKS!

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:51 AM

Posted 24 February 2008 - 02:56 PM

SAS should have removed those threats. Are you advising it did not?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 pocoloo

pocoloo
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 24 February 2008 - 02:59 PM

It appears so.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:51 AM

Posted 24 February 2008 - 03:08 PM

Rescan with SAS and confirm.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 pocoloo

pocoloo
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 24 February 2008 - 04:36 PM

Did another scan, this time there are 11 threats in the file items.

What do I do next?

Thanks!



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/24/2008 at 04:23 PM

Application Version : 3.9.1008

Core Rules Database Version : 3408
Trace Rules Database Version: 1400

Scan type : Complete Scan
Total Scan Time : 01:10:36

Memory items scanned : 434
Memory threats detected : 0
Registry items scanned : 5158
Registry threats detected : 0
File items scanned : 36379
File threats detected : 11

Adware.Tracking Cookie
C:\Documents and Settings\Preferred Customer\Cookies\preferred customer@tacoda[2].txt
C:\Documents and Settings\Preferred Customer\Cookies\preferred customer@2o7[2].txt
C:\Documents and Settings\Preferred Customer\Cookies\preferred customer@specificclick[1].txt
C:\Documents and Settings\Preferred Customer\Cookies\preferred customer@msnportal.112.2o7[1].txt
C:\Documents and Settings\Preferred Customer\Cookies\preferred customer@doubleclick[1].txt

Rogue.VirusHeat
C:\SYSTEM VOLUME INFORMATION\_RESTORE{32B47D5C-C13B-4968-9906-E14CF7889766}\RP402\A0101642.EXE

Adware.E404 Helper/Variant-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{32B47D5C-C13B-4968-9906-E14CF7889766}\RP402\A0101656.DLL

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{32B47D5C-C13B-4968-9906-E14CF7889766}\RP405\A0101726.ICO
C:\SYSTEM VOLUME INFORMATION\_RESTORE{32B47D5C-C13B-4968-9906-E14CF7889766}\RP408\A0102877.ICO

Malware.VirusRanger
C:\SYSTEM VOLUME INFORMATION\_RESTORE{32B47D5C-C13B-4968-9906-E14CF7889766}\RP406\A0101779.DLL

Trojan.Smitfraud Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{32B47D5C-C13B-4968-9906-E14CF7889766}\RP408\A0102871.DLL

#9 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:09:51 PM

Posted 24 February 2008 - 05:46 PM

Hi pocoloo,

I see you have a HJT log posted in the HijackThis Logs and Malware Removal forum.

You shouldn't make any changes to your system, while your HJT log is posted, as that could change the results of the posted log, making it difficult to properly clean your system.
At this point, the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

I'm closing this topic until you are cleared by the HJT Team.
If you have any questions, don't hesitate to send me a PM.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users