Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malaware Attack


  • Please log in to reply
28 replies to this topic

#1 marti42

marti42

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 17 May 2008 - 09:41 AM

Yesterday, my virus checker picked up about 20 new trojans. WinIfixer pops began occuring. I performed several scans (mcAfee, ad-aware, and spybot search and destroy). Winifixer still was present so I did another virus scan in safe mode overnight. when I turned the computer on this morning black beetles were crawling over a blue screen and start up was very slow. Spybot automatically ran and detected 25 problems and removed 232 of them. (two smitfraud-C problems were not removed. there are two maxpaynow items in the start comands (maxpaynow1 and maxpaynowti1) What do I do?

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:09 AM

Posted 17 May 2008 - 09:55 AM

Hello and welcome to BC.
Are you using XP?
Please run use this self help Tutorial, How to Remove WinFixer / Virtumonde / Msevents

Next run this scan.
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 marti42

marti42
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 18 May 2008 - 08:20 AM

I ran vundofix and it found nothing. When I went to open explorer to download virtumundobegone the computer rebooted and on the openning of windows I am getting errors such as ( C:\windows\17PHolmes27.exe) and now Brave-sentry 2.0 has just popped up. Help

#4 marti42

marti42
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 18 May 2008 - 09:03 AM

I am using XP Professional. I have been infected and on the first suggestion to clean using vundofix nothing was found but the computer rebooted. On reboot I get errors such as C:\windows\shell.exe C:\windows\17pHolmes27.exe there was also a bad image error. Spybot ran and detected and killed? maxpay1.exe, Smitfraud-C.
WinIfixer has also made an appearance. Brave-Sentury also popped up.
Currently Resident popups are saying Process terminated Identified as a User decision (such as vedxga5me3,exe)

I think I need serious help

Thanks

Mod Edit: Merged from - Resident Popups Process Terminated. ~ TMacK

Edited by TMacK, 18 May 2008 - 12:21 PM.


#5 marti42

marti42
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 18 May 2008 - 12:27 PM

I have been trying to run MBam but have the computer goes crazy whenever I connect to the internet. Mbam downloaded fine but when Mbam was started I never saw the program open although if I try to open it again it states that it is already running. Also a the windows installer has been trying to install a a usb device. Can I try to run Mbam in safe mode?
Tried to run Mbam again and recieved the message "insufficient system resources to complete the task"
Ctrl alt del no longer works

Edited by marti42, 18 May 2008 - 12:38 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:09 AM

Posted 18 May 2008 - 01:47 PM

Ok let's do it this way if possible,if nothing else works we'll go to HiJack.

Let's run Part 1 of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 marti42

marti42
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 18 May 2008 - 02:18 PM

I downloaded Smitfraudfix but when I double clicked on the executable file C:\windows\system32\cmd.exe openned followed by a windows installer that is trying to install a USB Utility. Spybot began to run on bootup but seems to be hung up. Should I attempt to close and of these windows? Too late the computer just rebooted on its own.

I will try to run SmitFraudfix again after reboot but this could take a while.

Edited by marti42, 18 May 2008 - 02:20 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:09 AM

Posted 18 May 2008 - 02:27 PM

OK then. Try this

Download Attribune's ATF Cleaner and then SUPERAntiSpyware, Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opers browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 marti42

marti42
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 18 May 2008 - 02:42 PM

In the C:\windows\system32\cmd.exe window it said something about Joedanger not being associated with Smitfraudfix. Hit any key to continue. Is this legit?
Waited too long the computer just rebooted itself again

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:09 AM

Posted 18 May 2008 - 02:58 PM

I gave you the legit file
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 marti42

marti42
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 18 May 2008 - 03:05 PM

I am sorry I didn't mean to imply that you gave me an illegitimate file I just wasn't sure if the screen that I was seeing was part of the program or if it was the work of the malware.
When I tried to run superantispyware the windows installer asking for an OK for a whole list of settings is this expected?
As you can tell I am very nervous being that I do not know what to expect from the viruses.
I do trust you and appreciate your patience. Thanks

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:09 AM

Posted 18 May 2008 - 03:13 PM

No I just meant I gave you the legit link it was OK to use.
All the tools I will give you are tried and true and safe. All have been checked here at BC before we allow their use.
Concern is good.

Edited by boopme, 18 May 2008 - 03:14 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 marti42

marti42
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 18 May 2008 - 03:55 PM

I finally thought I was making some progress in that I successfully ran smitfraudfix and generated a report which I copied . Unfortunately the computer crashed before I could paste it into a response. Everything is moving very slow. Spybot (teatimer) is constantly blocking a start page switch. Should I try smitfraudfix again with teatimer deactivated to free up some memory.
Still unable to open and load superantispy.
Next step?

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:09 AM

Posted 18 May 2008 - 04:13 PM

I have had some experience removing infections where McAfee and teatimer let them thru, I had to run windows as a repair disk to fix some errors. I had the computers disconnected from the internet the entire time.
Chewy

No. Try not. Do... or do not. There is no try.

#15 marti42

marti42
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 18 May 2008 - 04:27 PM

Finally Smitfraudfix log


SmitFraudFix v2.320

Scan done at 17:07:46.54, Sun 05/18/2008
Run from C:\Documents and Settings\tvdsb\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\tvdsb\ie_updates3r.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\services.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\tcpbkup.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\System32\maxpaynow1.exe
C:\WINDOWS\System32\maxpaynowti1.exe
C:\WINDOWS\System32\wind32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\Program Files\Common Files\SMART Technologies Inc\SMART Product Update\SMARTProductUpdate.exe
C:\WINDOWS\System32\dllgh8jkd1q2.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\msiexec.exe

hosts

hosts file corrupted !

10.18.250.4 download.microsoft.com
10.18.250.4 downloads.microsoft.com
10.18.250.4 go.microsoft.com
10.18.250.4 microsoft.com
10.18.250.4 msdn.microsoft.com
10.18.250.4 office.microsoft.com
10.18.250.4 support.microsoft.com
10.18.250.4 windowsupdate.microsoft.com
10.18.250.4 www.microsoft.com
10.18.250.4 pandasoftware.com
10.18.250.4 www.pandasoftware.com

C:\


C:\WINDOWS

C:\WINDOWS\desktop.html FOUND !
C:\WINDOWS\xpupdate.exe FOUND !

C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\tvdsb


C:\Documents and Settings\tvdsb\Application Data


Start Menu


C:\DOCUME~1\tvdsb\FAVORI~1

C:\DOCUME~1\tvdsb\FAVORI~1\Error Cleaner.url FOUND !
C:\DOCUME~1\tvdsb\FAVORI~1\Privacy Protector.url FOUND !
C:\DOCUME~1\tvdsb\FAVORI~1\Spyware?Malware Protection.url FOUND !

Desktop

C:\DOCUME~1\tvdsb\Desktop\Error Cleaner.url FOUND !
C:\DOCUME~1\tvdsb\Desktop\Privacy Protector.url FOUND !
C:\DOCUME~1\tvdsb\Desktop\Spyware?Malware Protection.url FOUND !

C:\Program Files

C:\Program Files\BraveSentry\ FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


IEDFix
!!!Attention, following keys are not inevitably infected!!!



VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
+--------------------------------------------------+
[!] Suspicious: nldfmtappek.dll
BHO: QXK Rhythm - {831c798d-f9ad-4659-8625-63f2a439f439}
TypeLib: {279A1421-296B-4652-B7E2-BE3C6B624384}
Interface: {74475532-2e19-454f-9e68-f7b6bc88833d}
Interface: {7a67c084-a290-4f3d-9c40-50edb5721e2c}

[!] Suspicious: gktxaspm.dll
Toolbar: gktxaspm - {C9A66198-D585-4160-A963-A889176926B0}
TypeLib: {4FF6AC4F-E0D8-40C3-BAE6-E1C9DEF2C03F}
Interface: {8b3d932d-28df-4379-85ef-058835b794ae}
Classe: gktxaspm.bxkm
Classe: gktxaspm.ToolBar.1

[!] Suspicious: pxgdslro.dll
SSODL: pxgdslro - {9F82D2FD-B97B-41A0-ABA0-B378EE82323F}


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\system32\\wowfx.dll"


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


Rustock



DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC
DNS Server Search Order: 64.71.255.198

HKLM\SYSTEM\CCS\Services\Tcpip\..\{CE954DCE-3B8C-49F2-8257-8CB9EFDB27CF}: DhcpNameServer=64.71.255.198
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CE954DCE-3B8C-49F2-8257-8CB9EFDB27CF}: DhcpNameServer=64.71.255.198
HKLM\SYSTEM\CS3\Services\Tcpip\..\{CE954DCE-3B8C-49F2-8257-8CB9EFDB27CF}: DhcpNameServer=64.71.255.198
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=64.71.255.198
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=64.71.255.198
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=64.71.255.198


Scanning for wininet.dll infection


End




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users