Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seeking Help With Antivirus And Hjtlog


  • Please log in to reply
36 replies to this topic

#1 GRM1

GRM1

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:05:08 PM

Posted 06 June 2008 - 12:07 AM

Hi, I am a complet beginner with computers, have gotten a virus (I think) which keeps sending pop-ups about buying AntiVirus software. I have McAfee on my system but it doesn't show any problems when I run the scan. I used McAfee community forum to find out that I needed RogueRemover and HijackThis. Have downloaded both and run both on my system. RR shows nothing. I have the analyzed HJT log on the computer, should I post it here? Sorry, this is my first post to this helpful service! :thumbsup:
Any help would be hugely appreciated!
Thanks,
Gerald

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:08 AM

Posted 06 June 2008 - 12:22 AM

Hello and welcome GRM1.
No HiJAck Logs here,if needed we will ask you to post it.
Please tell us you operating system..XP,Vista etc...

You can do these items first, sorry I won't be back til tommorrow to look at them.

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Next do part 1 of 2 of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


Follow with:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Edited by boopme, 06 June 2008 - 12:22 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 GRM1

GRM1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:05:08 PM

Posted 06 June 2008 - 02:11 AM

My system is XP. Thanks for prompt reply, I understand it will be tomorrow before I hear again, meanwhile will follow your advice. Thanks again,
GRM1

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:08 AM

Posted 06 June 2008 - 10:10 AM

I meant to ask you if the AV had given you a specif name of a malware?/
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 GRM1

GRM1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:05:08 PM

Posted 07 June 2008 - 07:47 PM

No, McAfee doesn't wanr of any virus. The pop-ups I'm getting give the impression of being from Microsoft, and are getting worse. I've tried to connect this am to the atribune site you suggested, but am being blocked from doing that. We have a small network at home run through a router, and the infection seems to be spreading to other computers in the network. It is Antivirus 2008, but I can't right click the icon on the bottom right hand margin, when I call up the Task Manager ther is no sign of an application running so I can't even shut the pop-ups using task manager. I'll have another go with the atribune site and see if I can access it from here.
Thanks,
Gerald

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:08 AM

Posted 07 June 2008 - 10:07 PM

If there's a computer or two that are relatively clean please disconnect all others that are infected from the lan

We can't fight an infection like this if it is spreading and reinfecting as fast as we try to fix it

We will need a usb drive to immunize and download fixes to so they can be transfered to the infected computers

Edited by DaChew, 07 June 2008 - 10:07 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#7 GRM1

GRM1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:05:08 PM

Posted 08 June 2008 - 04:30 AM

OK, this computer seems to be cleanest, so will keep using this and disconnect the others. I found the tutorial on getting rid of malware and have managed to download DSS. Have also enabled Microsoft's firewall. Shall I continue with these steps, or go back to advice above about downloading from atribune? Thanks, I appreciate your help. Gerald.

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:08 AM

Posted 08 June 2008 - 04:45 AM

Yes do Boopme's advise on that computer

but also let's work on the others or at least prepare for that

Do not start posting a bunch of HJT or DSS logs

http://www.bleepingcomputer.com/forums/ind...st&p=845007

you will have some of the files for post 11, go down and start with manual updates and sub's disinfector and let's build an arsenal

Boopme asked me to look in, I didn't expect to be cleaning a lan

Some just flatten and reload the whole mess
Chewy

No. Try not. Do... or do not. There is no try.

#9 GRM1

GRM1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:05:08 PM

Posted 08 June 2008 - 04:57 AM

Sorry, I hadn't thought the virus would spread through the lan. I've disconnected the other computers, and tried to access atribune from here, but it's no-go. I'm getting "The page cannot be displayed" - due to not finding the server or DNS error. I will try from my workplace tomorrow to get the ATF cleaner and the SmitFraud software on a datastick. Thanks again for your help.
Gerald

#10 GRM1

GRM1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:05:08 PM

Posted 08 June 2008 - 05:00 AM

just a quick thought, can this virus transfer onto a datastick or other portable media? thinking also of my daughter's ipod and my mp3 player...

#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:08 AM

Posted 08 June 2008 - 05:12 AM

Please review that thread I linked to

you have some intensive study ahead

yes the infection can spread if allowed

most don't infect portable drives but why take a chance
Chewy

No. Try not. Do... or do not. There is no try.

#12 GRM1

GRM1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:05:08 PM

Posted 08 June 2008 - 05:14 AM

OK, many thanks. Will study hard! 'Bout to go to bed here in cold southern hemisphere NZ.
G

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:08 AM

Posted 08 June 2008 - 05:16 AM

Another option, pick the computer that's worst or has the least to lose and format and reinstall windows and use it to disinfect the others
Chewy

No. Try not. Do... or do not. There is no try.

#14 GRM1

GRM1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:05:08 PM

Posted 08 June 2008 - 09:49 PM

hi, I have been following boopme's instructions, but can't get siri's SmitfraudFix to run. I get a warning from McAfee that there is a script error and a second warning that a PUP has been detected. If I select to allow both of those I get a message in a dialogue box headed C:\Windows\System32\cmd.exe which reads "joedanger is NOT involved with SmitfraudFix in any way! ... Press any key to continue...". If I try to press a button or type 1 nothing happens. Do I need to be connected to the internet for Smitfraudfix to run? Thanks,
G

#15 GRM1

GRM1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:05:08 PM

Posted 09 June 2008 - 12:18 AM

Hi, I have followed boopme's instructions on our second computer, and managed to run all three pieces of software (ATF, SmitfraudFix and MBAM). Thta computer is the one that I thought was least affected, if at all, although I had seen a couple of the pop-ups. The results of the latter two pieces of software are pasted below. I remain hugely appreciative of your help, and will next try going back to the computer that I couldn't get SmitfraudFix to work on to see if I can get it working...
all the best
G

Results of SmitfraudFix and MBA:
SmitFraudFix v2.323

Scan done at 15:49:19.21, 09/06/2008
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\PROGRA~1\MYHPPA~1\Pavilion\XPHAPBF3EN\plugin\bin\pchbutton.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Plaxo\2.13.1.6\PlaxoHelper.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\Owner


C:\Documents and Settings\Owner\Application Data


Start Menu


C:\DOCUME~1\Owner\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


Rustock



DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Symantec Network Security Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{B2BA0508-38EF-465D-922E-A30E7D8E3EAF}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B2BA0508-38EF-465D-922E-A30E7D8E3EAF}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B2BA0508-38EF-465D-922E-A30E7D8E3EAF}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Scanning for wininet.dll infection


End





Malwarebytes' Anti-Malware 1.15
Database version: 841

17:07:22 09/06/2008
mbam-log-6-9-2008 (17-07-22).txt

Scan type: Quick Scan
Objects scanned: 40153
Time elapsed: 9 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\realarcade.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users