Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unhappy Mothers Day - Computer Infected


  • This topic is locked This topic is locked
4 replies to this topic

#1 J.A.C.

J.A.C.

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 14 May 2008 - 12:52 AM

Hi all,

On Sunday evening my wife tried to user her computer and a dialog box popped up in the middle of the screen telling her she had spyware installed. (Black box, not normal Windows XP format.) She called me in and I tried to open the task manager but got "task manager is disabled by your security settings" or something like that. I let several expletives go under my breath. There was also a persistent popup from the system tray with a warning sign icon that would also warn about the computer being infected. Then I noticed that her desktop background had also been replaced with an HTML file that had a big "Your computer is infected" sort of message and a link to download anti-spyware softare. Finally, a Security Manager window (the real XP one) popped up and I thought this was real, clicked, and got a web page that had some spyware adds on it. Oops. So it had taken over the Security Manager as well.

Note that Norton Internet Security was running the whole time. I did a couple of scans with it but all that it identifies were some tracking cookies.

Being resourceful, I download Spybot S&D and ran it. It found a number of suspicious things and I removed them. (I'd google the .exe or .dll, and if it was bad, I'd have Spybot remove them.) Unfortunately, as soon as I removed them, they were back. this included some stuff with smitfraud in the name and some other things.

Spybot did start teatime. During this time I googled the "task manager" issue and fixed it. When I changed the registry, teatimer saw the change and popped up a warning. I allowed it to change. It instantly popped up another warning that something was trying to change it back.

At this point I download hijackthis and ran it. It noticed some startup stuff that wasn't usual and I killed t his and rebooted. When I rebooted, spybot ran before I got logged in and I cleaned up almost everything that wasn't a tracking cookie. There was something called virtumonde that I wasn't sure of and left it though recent googles indicate that this should go as well. I also had hijackthis "fix" the bad default.htm that it identified as a background problem.

More googling led me to ComboFix, which I also ran. (Sorry - didn't have an account here and hadn't seen the "Don't run this until we tell you" warning.)

However, the computer is still not well. I've had some new pop-ups, including a clever one that resized and hid my FireFox window behind a pop-up by the system tray. I've also had porn search pages sporadically pop up while using FireFox. Also, shortly after logging in, my wife's background is now replaced with a plain blue background, so that's broken as well.

I did update Norton a bit ago and then rebooted and when I logged back in the computer complained about a couple of DLLs:

Error loading C:\WINDOWS\system32\bogphutr.dll
Invalid access to memory location

Error loading C:\WINDOWS\system32\ngxpmuti.dll
Invalid access to memory location

Since that reboot (knock on wood) I haven't had a pop-up, but the background is still blue and I don't want to turn this over to my wife and daughter until it has a clean bill of health.

I'm attaching my hijackthis and combofix logs.

Please help!

Thanks - Jim

Attached Files



BC AdBot (Login to Remove)

 


#2 J.A.C.

J.A.C.
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 14 May 2008 - 07:39 PM

Note that Norton just found and removed a virus called Trojan.LowZones. It also found Trojan Horse in the combofix quarantine directory and "fixed" it as well.

#3 J.A.C.

J.A.C.
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 17 May 2008 - 11:25 AM

In case my last update was misleading, the computer is still not working correctly. No browser funniness since Norton removed Trojan.LowZones, but it still complains about missing DLLs when starting up and something changes the desktop background. My wife is still afraid to use it for her work so any help would be greatly appreciated.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:51 PM

Posted 31 May 2008 - 12:12 PM

Hi,

The forums are really busy, that explains why logs get behind. If you still need some help, please start with posting a new Combofixlog in this thread. Don't start with a new thread.
Then I'll take a look. :thumbsup:

Also, please redownload Combofix, because the version you are using is outdated.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:51 PM

Posted 09 June 2008 - 07:24 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users