Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Xp - Infected With Spyware, Viruses, Etc... And Can't Automate Windows Updates


  • Please log in to reply
9 replies to this topic

#1 pigfinn

pigfinn

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:32 PM

Posted 15 May 2008 - 05:29 PM

Hi everyone... thanks in advance for reading my post.

I am on Windows XP with a Dell Inspiron 9300. Haven't had many viruses, and when I did, I was successful in getting rid of them as well as spyware. This time is different, and I need help. Edit... also I have not installed any service packs, at least not to my knowledge.

A few nights ago I visited a site on some HTML context help and bam, got hit with spyware like crazy. This morning I woke up and my McAffee said it had found and removed virus Vundo (Trojan).

I am still swamped with spyware and pop up ads, etc, and can't open a website :thumbsup: I have run spybot, Ad-Aware 2007, McAfee Security, and a windows online antispy program. All have found spyware and corrected it, but it's coming back.

Another issue is that my Windows Automatic update setting is turned to "off". I can't turn it back on. I followed Windows online support instructions to go through "run" command "services.msc" and enable it from there, but when I try to do so... I get the following error.

"could not start the automatic updates server on local computer. error 1058. the service cannot be started, either because it is disabled or because it has no enabled devices associated with it" I keep getting messages that my windows is at risk due to "automatic updates" being turned off, but I can't turn it back on :flowers:

Back to spyware related... I just ran spybot, and received the following infections:
AdRevolver
CasaleMedia
MediaPlex
TagAsaurus
Virtumonde
Zedo

I will go ahead and "fix" these again, but something tells me they will be back!! :trumpet:

I cannot get to any website on my computer :inlove: I am using my work laptop to post this.

Any ideas on how to get a grip on this nightmare system of mine?

Thanks!

pigfinn

Edited by pigfinn, 15 May 2008 - 05:46 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:32 PM

Posted 15 May 2008 - 06:52 PM

Hello pigfinn
First go to Start, Right click My Computer>scroll to Properties
In the resulting window,on the General tab (probably be there already) see what service pack it shows listed.
It will say something as Msft Windows...Version...Service pack.

Next; temporarily disable Tea timer in Spybot.

You can disable TeaTimer 2 ways

To disable TeaTimer and remove its startup entry:
Go into Spybot > Mode > Advanced Mode > Tools > Resident
Uncheck (if checked) the following:
Resident "TeaTimer" (Protection of over-all system settings) Active.

To temporarally close TeaTimer and restart it later:
Right click Spybot's TeaTimer System Tray Icon > click Exit Spybot-S&D Resident.
TeaTimer closes.

Restart TeaTimer:(after Fix)
Using Windows Explorer, navigate to C:\Program Files\Spybot - Search & Destroy.
Double click TeaTimer.exe to start it.

Reboot is NOT necessary for the change to take effect.

http://forums.spybot.info/showthread.php?t=2827


NEXT:
Please download VundoFix to your desktop.
  • Double-click VundoFix.exe to run it. If using Windows Vista be sure to Run As Administrator.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the 'Fix Vundo' button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt .
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot. Follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 pigfinn

pigfinn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:32 PM

Posted 15 May 2008 - 06:56 PM

hey boopme, thank you!! I updated spybot (yet again) and am running it again. As soon as I am finished, I will do as you instructed and will post the results, thank you! :thumbsup:

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:32 PM

Posted 15 May 2008 - 07:01 PM

OK that's good. I meant to mention Spybot and Teatimer are good tools and you will re enable after the fix. There exists a possibility of it intefering with the fix so we need to temp stop it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 pigfinn

pigfinn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:32 PM

Posted 15 May 2008 - 08:12 PM

Okay, boopme, I am not sure what happened, but things appear to be much better! :thumbsup:

Here is what happened. After the latest run of spybot fiinished, it found the following, and I fixed it (removed it). See below for output results of sybot scan.

Smitfraud-C.gp: [SBI $901C9C72] Link (File, fixed)
C:\Documents and Settings\Karyn\Favorites\Error Cleaner.url

Smitfraud-C.gp: [SBI $A66DB21C] Link (File, fixed)
C:\Documents and Settings\Karyn\Favorites\Privacy Protector.url

Smitfraud-C.gp: [SBI $472076AC] Link (File, fixed)
C:\Documents and Settings\Karyn\Favorites\Spyware&Malware Protection.url

Smitfraud-C.gp: [SBI $D1117B94] Link (File, fixed)
C:\Documents and Settings\Karyn\Desktop\Spyware&Malware Protection.url

Smitfraud-C.gp: [SBI $C4C37DA6] Link (File, fixed)
C:\Documents and Settings\Karyn\Desktop\Error Cleaner.url

Win32.Small.azl: [SBI $A95A5F26] Executable (File, fixed)
C:\WINDOWS\mrofinu572.exe

Win32.Small.azl: [SBI $A95A5F26] Executable (File, fixed)
C:\WINDOWS\mrofinu572.exe.tmp

Virtumonde.dll: [SBI $7442D4BC] Library (File, fixed)
C:\WINDOWS\system32\eyebhyrk.dll

Virtumonde.dll: [SBI $7442D4BC] Library (File, fixed)
C:\WINDOWS\system32\nrhrikvl.dll

Virtumonde.dll: [SBI $7442D4BC] Library (File, fixed)
C:\WINDOWS\system32\oddxiakl.dll

Virtumonde.dll: [SBI $7442D4BC] Library (File, fixed)
C:\WINDOWS\system32\rbrxywxx.dll

Virtumonde.dll: [SBI $7442D4BC] Library (File, fixed)
C:\WINDOWS\system32\sieqfriy.dll

Virtumonde.dll: [SBI $A65264B2] Library (File, fixed)
C:\WINDOWS\system32\urqPiGXO.dll

Virtumonde.dll: [SBI $960C7A04] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3ff1722e-9e88-499c-8b9b-6f1bc1db7c5e}

Virtumonde.dll: [SBI $960C7A04] Class ID (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3ff1722e-9e88-499c-8b9b-6f1bc1db7c5e}

Virtumonde.dll: [SBI $960C7A04] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDFD22CB-B6EC-4814-819B-29AC3A09E6D4}

Virtumonde.dll: [SBI $960C7A04] Class ID (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDFD22CB-B6EC-4814-819B-29AC3A09E6D4}

Zlob.Downloader.se: [SBI $51F90E47] IE toolbar (Registry value, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{8D911181-10AA-4B3E-BC7F-8D4AD359921B}

Zlob.Downloader.se: [SBI $5C85C6DE] Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{8D911181-10AA-4B3E-BC7F-8D4AD359921B}


--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2008-01-24 unins000.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2008-04-16 Includes\Adware.sbi (*)
2008-05-14 Includes\AdwareC.sbi (*)
2008-05-14 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-05-14 Includes\DialerC.sbi (*)
2008-05-14 Includes\HeavyDuty.sbi (*)
2008-04-30 Includes\Hijackers.sbi (*)
2008-05-14 Includes\HijackersC.sbi (*)
2008-04-30 Includes\Keyloggers.sbi (*)
2008-05-14 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-04-22 Includes\Malware.sbi (*)
2008-05-14 Includes\MalwareC.sbi (*)
2008-03-26 Includes\PUPS.sbi (*)
2008-05-14 Includes\PUPSC.sbi (*)
2008-05-14 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-05-14 Includes\SecurityC.sbi (*)
2008-04-16 Includes\Spybots.sbi (*)
2008-05-14 Includes\SpybotsC.sbi (*)
2008-04-16 Includes\Spyware.sbi (*)
2008-05-14 Includes\SpywareC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-04-30 Includes\Trojans.sbi (*)
2008-05-14 Includes\TrojansC.sbi (*)
2008-12-24 Plugins\TCPIPAddress.dll


After I ran spybot and fixed the errors, I then went and disable the teatimer as you suggested. I then went and downloaded VundoMix and ran it, but it found nothing :flowers: However, after the VunodMix scan ran and after I disabled TeaTimer and after Spybot ran, I was able to download the latest Windows updates!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Soooooooo... now do I go and enable the TeaTimer from spybot again? I've been typing on the forum for over 5 min and haven't had a pop up or adware, so things are looking good. Should I go and enable TeaTimer? Is that going to prevent me from my Windows Updates? I'm wondering why I can run the Windows Updates now?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:32 PM

Posted 15 May 2008 - 08:16 PM

First run this.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 pigfinn

pigfinn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:32 PM

Posted 15 May 2008 - 08:18 PM

okey dokey smokey joe... you rock!!, i will do just that... will post results in a bit...thanks :thumbsup:

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:32 PM

Posted 15 May 2008 - 08:28 PM

It may have been stopped by the malware ,very common. Also it may have been error...

The Resident TeaTimer is a tool of Spybot-S&D which perpetually monitors the processes called/initiated. It immediately detects known malicious processes wanting to start and terminates them giving you some options, how to deal with this process in the future. You can set TeaTimer to:

be informed, when the process tries to start again
automatically kill the process
or generally allow the process to run
There is also an option to delete the file associated with this process.

In addition, TeaTimer detects when something wants to change some critical registry keys. TeaTimer can protect you against such changes again giving you an option: You can either Allow or Deny the change.

The TeaTimer is always running in the background.

http://www.safer-networking.org/en/faq/33.html
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 pigfinn

pigfinn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:32 PM

Posted 15 May 2008 - 09:01 PM

well boopme... things appear to be running great. I feel bad that this is a free site. Is there anywhere/anyway that I can contribute a few bucks $$$ to this, you guys are great.

Here are the results of the Malware scan (below). My computer is fine. Other than enabling the tea timer, I am good. Anything else I should do? Wow, I forget how wonderful it is to type without a bunch of pop up ads, etc. Thank you again... looks like you're one of the good guys... nice work... keep it up... we need you!! Thank you!!!!!!!!!!!!!!!!!!!!!!!!


Malwarebytes' Anti-Malware 1.12
Database version: 753

Scan type: Quick Scan
Objects scanned: 45754
Time elapsed: 23 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 13
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (Adware.MyWay) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f924-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\egodktf.brfm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\egodktf.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM7fdd0ea2 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM7fdd0ea2 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (Adware.MyWay) -> Delete on reboot.
C:\WINDOWS\system32\BSZIP.DLL (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\fknxwqf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Karyn\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:32 PM

Posted 16 May 2008 - 10:36 AM

OK,looks good. A reboot was require,do so first if you havn't. Then you can re enable and dste a new restore point.

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users