Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Infection, Ie Pop Up Directed To System-defender.com


  • Please log in to reply
7 replies to this topic

#1 akitachung

akitachung

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 28 May 2008 - 09:15 PM

Hi Im trying to remove this after reading some thread here but still unsucessfull.
It happen again all the time, and the privacy defender always try to install but block by antivirus.

The report is here, Thank you.

SmitFraudFix v2.323

Scan done at 10:09:54.85, Thu 05/29/2008
Run from C:\Documents and Settings\Toshiba\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\LevelOne\Common\RaUI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\cmd.exe

hosts


C:\


C:\WINNT


C:\WINNT\system


C:\WINNT\Web


C:\WINNT\system32


C:\Documents and Settings\Toshiba


C:\Documents and Settings\Toshiba\Application Data


Start Menu


C:\DOCUME~1\Toshiba\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:\\WINNT\\privacy_danger\\index.htm"
"SubscribedURL"=""
"FriendlyName"="Privacy Protection"


IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINNT\\system32\\userinit.exe,"
"System"=""


Rustock



DNS

Description: IEEE 802.11g Wireless Card.
DNS Server Search Order: 192.168.1.1
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7744CF71-323C-4928-B8EC-E5B675E61E22}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7744CF71-323C-4928-B8EC-E5B675E61E22}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7744CF71-323C-4928-B8EC-E5B675E61E22}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1


Scanning for wininet.dll infection


End

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,009 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:00 AM

Posted 28 May 2008 - 10:19 PM

Hello akitachung and welcome to BC :thumbsup:

I have moved your topic from the HJT forum here to the Am I Infected forum where it can get the attention it deserves.

I have some questions:

Can you provide a link to the topic you read that suggested running SmitfraudFix?

What issues are you experiencing; pop-ups, redirects, etc.; on the computer that caused you to seek out that topic?

What security programs besides Avira Personal Edition Classic Antivirus do you have installed? Did you run scans with them? If so, what did they find?

Orange Blossom :flowers:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 akitachung

akitachung
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 28 May 2008 - 11:03 PM

My Anti-Vir last detection is BAT/Fake.Privdanger But this thing keep on detected by my antivir but block.

I cant find the topic link now, but it tell us to scan with SmitfraudFix then restart in safe mode and do the clean option 2.
but then i click y on fixing registry it pop up error saying error on clean.reg and cleanup.reg

My IE always pop up, after few minute. The pop up website is system-defender.com
I do run it with Norman Malware cleaner after cleaning they found nothing.

I also did use U3 avast to scan but now no virus/malware found

Currenty only Avira PE i have. Thank you.

#4 akitachung

akitachung
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 29 May 2008 - 10:24 PM

The pop-up IE will link to :
hxxp://www.system-defender.com/freeware/2...did=37&p=01

I scan it with Malwarebytes'. today and found

Trojan.FakeAlert & Rague.KVMSecure.

The privacy-defender always show up just after i login, but lucky detected by antivirus and blocked.
But I repeat everytime i log in.

Please advice

Edited by quietman7, 30 May 2008 - 08:27 AM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:00 AM

Posted 30 May 2008 - 08:31 AM

Please do not post active links to possible malware sites. I have disabled the one you posted so others may not become accidentally infected.

You did not follow all the instructions for using Smitfruadfix. The rapport.txt you posted indicates that you only ran option #1 while in normal mode. You still need to complete the next step. Please print out these "instructions". Make sure you scroll down to Clean and perform the steps where you reboot in "Safe Mode" and run option #2.
The program will go through a series of cleanup processes and automatically start the Disk Cleanup program to remove Temporary files. Wait for the tool to complete and Disk Cleanup to finish.

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
-- Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.

When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 akitachung

akitachung
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 02 June 2008 - 10:43 PM

Thank. I have run the sdfix and below is the report.
I'll keep on monitoring the malware and report back, thank you.


SDFix: Version 1.187
Run by Toshiba on Tue 06/03/2008 at 11:01a

Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\Toshiba\LOCALS~1\Temp\privacy_danger\index.htm - Deleted
C:\DOCUME~1\Toshiba\LOCALS~1\Temp\privacy_danger\images\capt.gif - Deleted
C:\DOCUME~1\Toshiba\LOCALS~1\Temp\privacy_danger\images\danger.jpg - Deleted
C:\DOCUME~1\Toshiba\LOCALS~1\Temp\privacy_danger\images\down.gif - Deleted
C:\DOCUME~1\Toshiba\LOCALS~1\Temp\privacy_danger\images\spacer.gif - Deleted
C:\WINNT\system32\TFTP924 - Deleted
C:\WINNT\gktxaspm.dll - Deleted
C:\WINNT\mdtgkswr.exe - Deleted
C:\WINNT\pxgdslro.dll - Deleted
C:\WINNT\system32\cdplayer.exe - Deleted



Folder C:\DOCUME~1\Toshiba\LOCALS~1\Temp\privacy_danger - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 11:16:30
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 9 Jun 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 2 Feb 2007 25,600 A..H. --- "C:\Program Files\Trimble\Geo05SerialSet\Geo05Service.dll"
Tue 24 Oct 2006 189,440 A..H. --- "C:\Program Files\Trimble\Geo05SerialSet\KryptonSupportRAPIWM.dll"
Fri 13 May 2005 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Tue 18 Nov 2003 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg_old.reg"
Tue 18 Nov 2003 206,370 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient_old.reg"
Fri 13 May 2005 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\Toshiba\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

#7 akitachung

akitachung
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 04 June 2008 - 10:14 PM

I see no pop up and no virus detected anymore. I think the malware have been removed, thank a lot.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:00 AM

Posted 05 June 2008 - 07:33 AM

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"Best Practices - Internet Safety for 2008".
"Hardening Windows Security - Part 1 & Part 2".
"IE Recommended Minimal Security Settings".
"How to Set Security Options in the Firefox Browser".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users