Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winfixer


  • Please log in to reply
21 replies to this topic

#1 J-ROCK

J-ROCK

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 22 May 2008 - 03:07 PM

Hi there.
Just wanted to let you know your site has been very helpful. Couldn't find much info or get any help anywhere else.

I got infected with the Winifixer pop-up window on my machine (I'm running Win XP). My computer was sending out an unusually high number of outbound e-mail messages without my knowledge. My internet provider send me an e-mail with the notification.

I posted my issue in this thread because I followed the instructions above and it seams to have fixed most of my problems. I had to do the whole process about 3 times and now I only find one infected file when I run Malwarebytes' Anti-Malware.

It finds
Rootkit.agent C:\windows\system32\pjsapdg.sys

The SUPERAntiSpyware doesn't find it.

Malware finds it and Quarantines it, I have deleted the quarantined file then re-scan using Malwarebytes' Anti-Malware and it finds it everytime....Is this virus or something?

Let me know if I need help.
Thanks,
J-ROCK

I just saw this link in the Tutorials..
Using Blacklight to detect and remove Rootkits from your computer
Should I run Blacklight ?

Sorry, Now I will be patient and wait for instruction. :thumbsup:

Edited by J-ROCK, 22 May 2008 - 03:46 PM.


BC AdBot (Login to Remove)

 


#2 J-ROCK

J-ROCK
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 27 May 2008 - 07:56 AM

It's been 5 days, is anyone able to help? I am probably not following the right process. Sorry about that.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:46 PM

Posted 27 May 2008 - 09:27 AM

You posted at the end of a finished topic and became lost. Always start your own topic in the future,so problems like this don't occur,thanks. I will split this away into a topic of it's own.

Please try the instructions in our tutorial
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:46 PM

Posted 27 May 2008 - 11:49 AM

The identified file is related to a rootkit component. Rootkits are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read "When should I re-format? How should I reinstall?", "Help: I Got Hacked. Now What Do I Do?" and "Reformatting the computer or troubleshooting; which is best?".

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, please do the following.


Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
-- Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.

When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet.

Please download AVG Anti-Rootkit and save to your desktop
  • Double click avgarkt-setup-1.1.0.42.exe to begin installation.
  • Click Next to select the Normal interface.
  • Accept the license and follow the prompts to install. (By default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit)
  • You will be asked to reboot to finish the installation so click "Finish".
  • After rebooting, double-click the icon for AVG Anti-Rootkit on your desktop.
  • You will see a window with three buttons at the bottom.
  • Click "Search For Rootkits" and the scan will begin.
  • You will see the progress bar moving from left to right. The scan will take some so be patient and let it finish.
  • When the scan has finished, if anything was found, click "Remove selected items"
  • If nothing is found, a message will appear "Congratulations! There were no installed rootkits found on your computer."
  • Click close, then select "Perform in-depth Search".
  • When the scan has finished, if anything is found, click "Remove selected items"
  • Again, if nothing was found, you will see the message "Congratulations! There were no installed rootkits found on your computer."
  • Exit AVG ARK.
Note: Before performing a scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection. (Re-enable when done)
  • After starting the scan, DO NOT not use the computer until the scan has completed.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 J-ROCK

J-ROCK
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 01 June 2008 - 12:35 PM

I folowed the instructions and here is my SDFix Report. I got the "Congratulations! There were no installed rootkits found on your computer." message and I also ran the Malwarebytes' Anti-Malware after it all and it no longer finds the rootkit.agent that it originally did.

Thanks so much, your awesome! This is now my new favorite site.
J-ROCK

Can I connect that PC back up to my network?



SDFix: Version 1.186
Run by Administrator on Sat 05/31/2008 at 03:42 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 15:56:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe"="C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe:*:Disabled:P2P Networking"
"C:\\Program Files\\Microsoft Hardware\\Game Voice\\GameVoice.exe"="C:\\Program Files\\Microsoft Hardware\\Game Voice\\GameVoice.exe:*:Enabled:Game Voice"
"D:\\UT2004\\System\\UT2004.exe"="D:\\UT2004\\System\\UT2004.exe:*:Enabled:UT2004"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"="C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp:*:Enabled:KazaaLite"
"D:\\Program Files\\LucasArts\\Star Wars Battlefront\\GameData\\Battlefront.exe"="D:\\Program Files\\LucasArts\\Star Wars Battlefront\\GameData\\Battlefront.exe:*:Disabled:Battlefront"
"C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\BattlefrontII.exe"="C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\BattlefrontII.exe:*:Enabled:BattlefrontII"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"D:\\Program Files\\BitLord\\BitLord.exe"="D:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\d.exe"="C:\\d.exe:*:Enabled:enable"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 1 Nov 2003 52 A..H. --- "C:\Program Files\STOPzilla!\swin32z.sys"
Thu 22 Aug 2002 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 12 May 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Mon 12 May 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Mon 2 Apr 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT27.tmp"

Finished!

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:46 PM

Posted 01 June 2008 - 12:47 PM

It's been quite some time since you replied, would you run a new updated scan with MBAM and post the log, they have updated the program for better detection

you will have to get the newest version and database however
Chewy

No. Try not. Do... or do not. There is no try.

#7 J-ROCK

J-ROCK
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 01 June 2008 - 01:14 PM

I downloaded the files last week and I just ran everything on the infected computer yesterday.

Sorry for my newbie-ness but what is MBAM and where do I get it...??

I tried the File section and the Resource section and the Search??

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:46 PM

Posted 01 June 2008 - 01:21 PM

http://www.bleepingcomputer.com/forums/ind...mp;#entry811062

If you want to keep the computer offline please note the manual update link

If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.


http://www.malwarebytes.org/mbam/database/mbam-rules.exe
Chewy

No. Try not. Do... or do not. There is no try.

#9 J-ROCK

J-ROCK
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 01 June 2008 - 01:42 PM

I am using another Lap Top right now so I download the file, put it on a USB drive and transfer it over....

Should that be O.K. ?
Thanks,
J-ROCK

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:46 PM

Posted 01 June 2008 - 01:47 PM

Yes good
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 J-ROCK

J-ROCK
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 01 June 2008 - 02:03 PM

O.K....it said it updated from Version 800 to 812. I will re-run Malwarebytes' Anti-Malware and post the log.

Thanks,
J-ROCK

#12 J-ROCK

J-ROCK
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 01 June 2008 - 06:06 PM

You are right, it found one....


Malwarebytes' Anti-Malware 1.14
Database version: 812

7:04:12 PM 6/1/2008
mbam-log-6-1-2008 (19-03-49).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 129448
Time elapsed: 1 hour(s), 9 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowNetPlaces (StartMenu.Hijack) -> Bad: (0) Good: (1) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:46 PM

Posted 01 June 2008 - 06:16 PM

Do you think it's clean now, how's it acting, the next step will be a lot harder to do and stay off the internet

http://www.bleepingcomputer.com/forums/ind...mp;#entry634693

atf and SAS from safe mode

http://www.superantispyware.com/definitions.html

manually updating definitions is a little tricky
Chewy

No. Try not. Do... or do not. There is no try.

#14 J-ROCK

J-ROCK
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 01 June 2008 - 07:01 PM

I did the atf and SAS from safe mode several times....last weekend. Then after everytime, I scanned with Malwarebytes and it found the rootkit.agent....

Rootkit.agent C:\windows\system32\pjsapdg.sys

I don't know if it's gone now?

What is this thing from the report??

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowNetPlaces (StartMenu.Hijack) -> Bad: (0) Good: (1) -> No action taken.


Thanks,
J-ROCK

#15 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:46 PM

Posted 01 June 2008 - 07:14 PM

it may have been just a broken remnant, they update these anti-malwareprograms so often I have found files left over from vundo months after the infection, they were harmless
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users