Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected


  • This topic is locked This topic is locked
13 replies to this topic

#1 draven

draven

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:01:34 AM

Posted 24 March 2008 - 09:00 AM

Hello,

I have been infected with this trojan. I keep getting pop-ups all the time with warning messages, also i have the red circle iron with the white x with balloon messages.

I have run Ad-Aware, and AVG Anti-Virus and it found the file win.exe and deleted it but still have the pop-ups and messages.


What can i do?, please advise.

thanks

BC AdBot (Login to Remove)

 


#2 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:08:34 PM

Posted 24 March 2008 - 09:29 AM

Hello draven

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

#3 Master5270

Master5270

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where am I?
  • Local time:08:34 PM

Posted 24 March 2008 - 11:42 AM

Hi, draven, I am Master5270, trying to help you too.

SmitfraudFix can remove most of the infection but superantispyware can help too, because trojans usually get bundled with other types of malicious stuff.


Download and scan with SuperAntiSpyware Free for Home Users

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* When done, select "Scan for Harmful Software".
* There are three scanning options. Choose "Perform Complete Scan" and click "Next".
* When done, a Scan Summary will appear with potentially harmful items that were detected. Click "OK".
* Make sure they all have a checkmark next to them and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* Click Preferences and then click the statistics/logs tab.
* Click the dated log and press View log. A text file will appear so you can see the results.
* Select close to exit the program.
* Scan in SAFE MODE

If Everything posted above fails, Post a HiJackThis (HJT) Log By using these instructions.
First, use the Preparation Guide before posting a HJT log, follow all the instructions.
Then, Post a HJT log in this Forum, the HJT team is busy, so it will take up to 5 days for a response.
If you haven't had reply in 5 days, post your topic URL in this topic.

#4 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:01:34 AM

Posted 24 March 2008 - 12:13 PM

Thank you for both replys.

I Should also note that this trojan has disabled the Task Manager and Registry Editor saying - "registry editor disabled by administrator" etc.



SmitFraudFix v2.308

Scan done at 17:03:08.68, 24/03/2008
Run from C:\Documents and Settings\Dan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\Dan


C:\Documents and Settings\Dan\Application Data

C:\Documents and Settings\Dan\Application Data\Install.dat FOUND !

Start Menu


C:\DOCUME~1\DAN\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{020487CC-FC04-4B1E-863F-D9801796230B}"="Windows Installer Class"

[HKEY_CLASSES_ROOT\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}\InProcServer32]
@="C:\DOCUME~1\Dan\LOCALS~1\Temp\wndutl32.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}\InProcServer32]
@="C:\DOCUME~1\Dan\LOCALS~1\Temp\wndutl32.dll"



AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="userinit.exe,C:\\WINDOWS\\SERVICES.EXE,C:\\WINDOWS\\System32\\ntos.exe,"
"system"="csbbv.exe"


Rustock



DNS

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 195.92.195.94
DNS Server Search Order: 195.92.195.95

HKLM\SYSTEM\CCS\Services\Tcpip\..\{CA2DB896-A815-4CFB-BC5B-599283DEE889}: NameServer=195.92.195.94 195.92.195.95
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CA2DB896-A815-4CFB-BC5B-599283DEE889}: NameServer=195.92.195.94 195.92.195.95
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.116.85 85.255.112.147
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.116.85 85.255.112.147
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.116.85 85.255.112.147


Scanning for wininet.dll infection


End

#5 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:08:34 PM

Posted 24 March 2008 - 03:23 PM

Lets continue with smitfraud for the moment

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Edited by don77, 24 March 2008 - 09:49 PM.


#6 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:01:34 AM

Posted 24 March 2008 - 06:02 PM

Hello,

I have ran the SuperAnti-Spyware Free Edition, and after a long 1 hr 40 min scan it found alot of stuff, the good news is the messages and pop-ups are gone.

What still remains is that the Task Manager and Registry Editor are still disabled. What can i do get them working again?


don77, should i carry on with doing what you have listed above with SmitfraudFix.exe?

Edited by draven, 24 March 2008 - 06:02 PM.


#7 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:08:34 PM

Posted 24 March 2008 - 09:51 PM

Please do I need to see the rapport txt along with the log saved from Superantispyware usually I like to run that after most of the infections are cleaned but we will see what happens

#8 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:01:34 AM

Posted 25 March 2008 - 02:43 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/24/2008 at 10:14 PM

Application Version : 4.0.1154

Core Rules Database Version : 3423
Trace Rules Database Version: 1415

Scan type : Complete Scan
Total Scan Time : 01:40:19

Memory items scanned : 335
Memory threats detected : 1
Registry items scanned : 4580
Registry threats detected : 7
File items scanned : 18209
File threats detected : 196

Trojan.Smitfraud Variant-Gen/SRem
C:\DOCUME~1\DAN\LOCALS~1\TEMP\WNDUTL32.DLL
C:\DOCUME~1\DAN\LOCALS~1\TEMP\WNDUTL32.DLL
HKLM\Software\Classes\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}
HKCR\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}
HKCR\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}\InProcServer32
HKCR\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}\InProcServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{020487CC-FC04-4B1E-863F-D9801796230B}
C:\DOCUMENTS AND SETTINGS\DAN\LOCAL SETTINGS\TEMP\WNDUTL32.DLL

Adware.Tracking Cookie
Trojan.Unknown Origin
HKLM\Software\xpre
HKLM\Software\xpre#execount

Adware.WsnPoem
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem

Trojan.Downloader-Gen
C:\WINDOWS\SYSTEM32\NTOS.EXE
C:\WINDOWS\Prefetch\NTOS.EXE-1A029211.pf

Trojan.Downloader-Newsploit
C:\DOCUMENTS AND SETTINGS\DAN\LOCAL SETTINGS\TEMP\NEWSPLOIT.EXE

Trace.Known Threat Sources
C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\A5GBQ5CT\uv_default[1].gif

Edited by draven, 25 March 2008 - 02:45 PM.


#9 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:08:34 PM

Posted 25 March 2008 - 02:58 PM

could you post the rapport txt from smitfraudfix please

#10 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:01:34 AM

Posted 25 March 2008 - 03:08 PM

I couldn't finish the SmitfruadFix scan in Safe Mode because the Trojan has disabled Task Manager and Registry Editor.

#11 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:08:34 PM

Posted 25 March 2008 - 07:01 PM

I need to have a look at a HJT log so I need you to run through the Preparation Guide For Use Before Posting A Hijackthis Log
When complete please start a new topic in the Malware Forum
Please post a link to the new topic back here for me please ( Not the HJT log just a link to the new topic)

#12 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:01:34 AM

Posted 26 March 2008 - 03:42 PM

http://www.bleepingcomputer.com/forums/ind...=137793&hl=

#13 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:08:34 PM

Posted 26 March 2008 - 05:19 PM

Got it

Thanks

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:34 PM

Posted 26 March 2008 - 09:51 PM

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusion, I am closing this topic.

Thanks for your cooperation and good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users