Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Know I Am


  • Please log in to reply
11 replies to this topic

#1 sargentrs

sargentrs

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 27 April 2008 - 08:37 AM

Hi guys. Don't know where to begin. I know I've got issues, it's just hard to nail it down.

1. Windows Installer pops up every time I try to do anything in Internet Explorer. No biggie, I'm a Firefox man myself. Just annoying.

2. Got an infection yesterday. Background went orange with a note at the bottom that said something about being infected and go to Windows Security Center, blah, blah, blah. Then popups galore about SpyWare programs and fixes. Restored system to yesterday. Now getting randow dialog boxes about registry errors regarding .exe file that won't initialize. File name are numeric, i.e. 123456789.exe, with registry keys shown.

3. Where do I start?

BC AdBot (Login to Remove)

 


#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 27 April 2008 - 09:12 AM

Hi and welcom :thumbsup:


you maybe start by letting us know what your windows version is, what your antivirus program is, what other protection you have on board, when was it last all fully updated and run on full deep scans?

when did you last update the computer from the windows microsoft update site?

#3 sargentrs

sargentrs
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 27 April 2008 - 05:12 PM

Running Windows XP Pro. No Antivirus. Have run Ad-Aware and Spybot yesterday and today on full deep scan. Haven't run Windows Update in a while, due to issues with IE.

#4 sargentrs

sargentrs
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 27 April 2008 - 05:17 PM

Orange screen of annoyance is back. It says:

Your computer is under Spyware Attack.
Your computer is infected by anonymous spyware program.
Please follow Windows Security Center Tips to recover your system.

I ran Windows Update just now.

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,903 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:50 AM

Posted 27 April 2008 - 06:08 PM

Hello sargentrs,

Not having an AntiVirus is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can and run a complete scan of the computer:Install it and then run a full scan. Let it quarantine/delete anything it finds.

Please post the log in your next reply.

If you have any problems installing an Antivirus program, please let us know.

Orange Blossom :thumbsup:

Edited by Orange Blossom, 27 April 2008 - 06:31 PM.
Fix tags. ~ OB

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:50 AM

Posted 27 April 2008 - 06:22 PM

http://www.bitdefender.com/PRODUCT-14-en--...ee-Edition.html

Edited by DaChew, 27 April 2008 - 06:23 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#7 sargentrs

sargentrs
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 27 April 2008 - 07:23 PM

Installed BitDefender and ran full scan. Here's the report:


//-----------------------------------------------------------------
//
// Product BitDefender Free Edition v10
// Product 10.2
//
// Created on: 27/04/2008 19:59:17
//
//-----------------------------------------------------------------


Virus Statistics

Scan path : C:\WINDOWS
C:\Program Files
Folders : 5560
Files : 74356
Memory processes scanned : 0
Archives : 0
Runtime packers : 6279
Identified viruses : 2
Infected files : 2
Memory processes infected : 0
Suspect files : 0
Warnings : 0
Disinfected files : 0
Deleted files : 0
Moved files : 2
I/O errors : 1
Scan time : 00:14:18
Scan speed (files/sec) : 86

Virus definitions : 1184187
Scan plugins : 16
Archive plugins : 42
Unpack plugins : 7
Mail plugins : 6
System plugins : 5

Virus scan options

Detection
[X] Scan boot sectors
[ ] Memory Processes
[ ] Scan archives
[X] Scan runtime packers
[X] Scan email

File mask
[X] Programs
[ ] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Move to quarantine
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[X] Move to quarantine
[ ] Prompt user

Virus scan options
[X] Enable warnings
[ ] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\DOCUME~1\Randy\LOCALS~1\Temp\1209340757.log

Spyware scan options

[X] Scan for riskware
[ ] Skip dial and applications from scan
[ ] Registry keys
[ ] Cookies


Summary:

C:\WINDOWS\system32\CbEvtSvc.exe Infected: Trojan.Downloader.JJSB
C:\WINDOWS\system32\CbEvtSvc.exe Disinfection failed
C:\WINDOWS\system32\CbEvtSvc.exe Moved
C:\WINDOWS\system32\sockins32.dll Infected: Trojan.Renos.NBY
C:\WINDOWS\system32\sockins32.dll Disinfection failed
C:\WINDOWS\system32\sockins32.dll Moved

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:50 AM

Posted 27 April 2008 - 08:04 PM

Hello you now need to follow these instructions to remove these that are left.

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

CLEANING
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 sargentrs

sargentrs
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 28 April 2008 - 04:10 AM

Thanks guys. I'm a little new at this so please be patient with me. Trying to run SmitFraudFix and getting an error. Registry editing has been disabled by your administrator. I AM admin! Will it still work?

#10 sargentrs

sargentrs
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 28 April 2008 - 04:25 AM

OK, sorry. I'm a nervous nelly i guess. SmitFraudFix finished. Here's what it said:

SmitFraudFix v2.319

Scan done at 5:06:14.17, Mon 04/28/2008
Run from C:\Documents and Settings\Randy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Randy


C:\Documents and Settings\Randy\Application Data


Start Menu


C:\DOCUME~1\Randy\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="sockspy.dll"


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


Rustock



DNS

Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.254.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A6DA0EFB-EEB9-4AC3-B165-4046D1FCAFB7}: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A6DA0EFB-EEB9-4AC3-B165-4046D1FCAFB7}: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{A6DA0EFB-EEB9-4AC3-B165-4046D1FCAFB7}: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254


Scanning for wininet.dll infection


End

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:50 AM

Posted 28 April 2008 - 05:10 AM

Please reboot your computer in Safe Mode



Fix run in normal mode


Chewy

No. Try not. Do... or do not. There is no try.

#12 sargentrs

sargentrs
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 29 April 2008 - 04:40 AM

Ran Smit in safe mode. Got several "system cannot find specified file" errors. Looked like it hung up. Had to turn off/on to get back up. Orange screen of annoyance is still there. What did I do wrong?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users