Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Seriously With Spyware


  • Please log in to reply
6 replies to this topic

#1 ranayl

ranayl

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 28 May 2008 - 02:05 PM

Recently while I was going thru my yahoo mail, I opened one of the mail with subject Quote for cabling.As I were expecting the Quote from my clients I opened this mail in my Laptop(With Windows XP Pro). Suddenly I got a blue screen message error and my laptop got restarted. Once restarted my laptop is effected with lot of Spywares. I tried to install tools like Combofix, hijackthis etc. But I cannot open/install combofix or Hijack this Software. Then I thought of going to online scanning from symantec or Mcafee. But strange thing happened. I cannot go to any Antivirus site and it shows 404 Page error.I can go to all other sites like google,yahoo. But not to any of these sites and even it is blocking Bleepingcomputer.com also.It changed my Computer Product ID to VIRUSALERT! and on the taskbar where time displays is also appering along with this (For ex. 9.57AM VIRUSALERT!). I copied some of the spyware remover (SuperAntispyware free edition,Adaware 2007 etc) to the CD and I scanned it after installing to my laptop. This only helps me to enable my taskbar and regedit.While I was going thru the task process I found one task called Lanmanwrk.exe is running. But I cannot remove this since my laptop is not allowing me to go to any website and update of the installed product is also blocked.

When I gone thru MY Computer My Drives has been dissapperd,

Please help me out ,

BC AdBot (Login to Remove)

 


m

#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 28 May 2008 - 02:14 PM

Hi,

Try to do as much steps as you can:

1. Download ATF cleaner (by Atribune)

Doubleclick ATF cleaner to start the program.
At the tab "Main", place a mark at Select All.
Klick the button Empty Selected.

If you use FireFox:
Klick at the tab "Firefox", place a mark at Select All.
I you would keep the stored passwords in FireFox, please choose "No" at the window that opens.
(This deletes the mark at "Firefox saved passwords")
Klick the button Empty Selected.

If you use Opera:
Klick the tab "Opera", place a mark at Select All.
I you would keep the stored passwords in Opera, please choose "No" at the window that opens.
Klick the button Empty Selected.

Ga to the tab "Main" and click the button Exit to close the program.

2. Download the next programs, but do nothing more than that:3. Install the programs that are advised in step 2, and update them. :thumbsup:

4. Restart your computer in Safe Mode. See here for a tutorial how to do this.

5. Scan with the next programs:
  • Your anti-virusscanner.
  • Spybot S&D
  • Ad-Aware
  • Windows Defender
    Post the results in your next answer
6. Restart your computer again, but now in Normal Mode.

7. Go to Kaspersky Online Scanner.
Klick at the button Accept.
This scanner is only compatible with Internet Explorer 6 and higher !!
It could be you must click at a yellow beam to activate ActiveX files that Kaspersky needs to run and download. Accept this.
  • The program will now start downloading the latest definition files. After this you need to click Next.
  • Than click Scan Settings.
    Beneath the text Scan using the following antivirus database: you need to choose the second option: extended - protect your .....
    Beneath the text Scan options: you need to check the following boxes: Scan Archives .... and Scan Mail Bases ....
  • Than click OK.
  • Now start the scan by clicking the text My Computer.
    Posted Image
    Note that this scan may take a while.
  • When the scan is finished, you'll get the option to save the scan report.
    Click at the button Save Report As. Save the report at your Desktop with the name kavscan.txt
Post this report in you next reply.

8. Now, post the logs/results in your next answer. Tell which problems you still have. I need the following reports:
  • The results of your anti-virus program
  • Spybot S&D
  • Ad-Aware
  • Windows Defender
  • Kaspersky Online Scan
Good luck. :flowers:

Edited by superbird, 28 May 2008 - 02:15 PM.


#3 ranayl

ranayl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 29 May 2008 - 10:18 AM

I've downloaded AFT Cleaner. But of no use. I had tried removing the spyware from safe mode only but not working. I cannot go to any online scanners (Kaspersky,mcafee,symantec, trendmicro) since I'm getting the error page cannot be displayed. Any other help.

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 29 May 2008 - 10:25 AM

Have you tried step 2-6 and 8 (the normal programs). Does this help?

If not:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Greetings,
Superbird :thumbsup:

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:32 AM

Posted 29 May 2008 - 11:35 AM

One or more of the identified infections is related to a rootkit component. Rootkits are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read "When should I re-format? How should I reinstall?", "Help: I Got Hacked. Now What Do I Do?" and "Reformatting the computer or troubleshooting; which is best?".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 ranayl

ranayl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 01 June 2008 - 02:41 AM

I Solved the Problem. I've downloaded RegRun Security Suite and scanned for the virus. It detects the Lanmanwrk file and deleted it. Now I can go to all the antivirus site and also to the Bleeping computers.com site also.


Thanx for the support.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:32 AM

Posted 01 June 2008 - 06:22 AM

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

This still does not affect the fact that your computer was compromised by a dangerous rootkit so I suggest you change all your passwords.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users