Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antispystorm Fallout


  • Please log in to reply
6 replies to this topic

#1 tthotdog

tthotdog

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 08 June 2008 - 12:35 AM

Hello! So I had a ruff fight with the Antispystorm malware/virus. While I managed to remove said malware with the help of Bleeping Computer, my browser has become very slow. Fast enough for basic browsing but not nearly as fast as before Antispystom. Any help would be great!!!----- tthotdog

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:37 AM

Posted 08 June 2008 - 07:30 AM

What OS (Win 2K, XPsp1, XPsp2, Vista) are you using? What steps did you take to remove the malware? We don't want to provide instructions for steps you already tried.

Edited by quietman7, 08 June 2008 - 07:31 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 tthotdog

tthotdog
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 08 June 2008 - 10:54 AM

Oh yeah, sorry! Working on Windows XP. I followed some directions found elsewhere on this site, and while I can't remember exactly what I did it involved using Malwarebytes, SuperAntisypware and I think even adding some code the the registry. Sorry that I don't have the details, but I thought I beat it a week ago. But ever since, I notice that my browsing speed is way slower.

Help! Thanks!--- tthotdog

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:37 AM

Posted 09 June 2008 - 07:15 AM

Can you post the previous log scan reports from MBAM and SAS?

Then rescan again with MBAM, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 tthotdog

tthotdog
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 09 June 2008 - 11:50 PM

OK. Just scanned eith both apps. Here are the latest logs:

Malwarebytes' Anti-Malware 1.12
Database version: 786

Scan type: Full Scan (C:\|)
Objects scanned: 246429
Time elapsed: 49 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\7CF28762C38CA0D4.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\AE8AB41F91F72503.tmp (Malware.Trace) -> Quarantined and deleted successfully.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/10/2008 at 00:29 AM

Application Version : 4.1.1046

Core Rules Database Version : 3475
Trace Rules Database Version: 1466

Scan type : Complete Scan
Total Scan Time : 01:53:22

Memory items scanned : 389
Memory threats detected : 0
Registry items scanned : 7110
Registry threats detected : 0
File items scanned : 198971
File threats detected : 44

Adware.Tracking Cookie
C:\Documents and Settings\Timothy\Cookies\timothy@realmedia[3].txt
C:\Documents and Settings\Timothy\Cookies\timothy@server.iad.liveperson[4].txt
C:\Documents and Settings\Timothy\Cookies\timothy@media.adrevolver[2].txt
C:\Documents and Settings\Timothy\Cookies\timothy@bs.serving-sys[2].txt
C:\Documents and Settings\Timothy\Cookies\timothy@collective-media[1].txt
C:\Documents and Settings\Timothy\Cookies\timothy@zedo[1].txt
C:\Documents and Settings\Timothy\Cookies\timothy@tribalfusion[1].txt
C:\Documents and Settings\Timothy\Cookies\timothy@insightexpressai[2].txt
C:\Documents and Settings\Timothy\Cookies\timothy@server.iad.liveperson[2].txt
C:\Documents and Settings\Timothy\Cookies\timothy@clicktorrent[3].txt
C:\Documents and Settings\Timothy\Cookies\timothy@statcounter[1].txt
C:\Documents and Settings\Timothy\Cookies\timothy@atdmt[1].txt
C:\Documents and Settings\Timothy\Cookies\timothy@tacoda[2].txt
C:\Documents and Settings\Timothy\Cookies\timothy@serving-sys[1].txt
C:\Documents and Settings\Timothy\Cookies\timothy@revsci[2].txt
C:\Documents and Settings\Timothy\Cookies\timothy@ad.yieldmanager[1].txt
C:\Documents and Settings\Timothy\Cookies\timothy@media.adrevolver[3].txt
C:\Documents and Settings\Timothy\Cookies\timothy@apmebf[1].txt
C:\Documents and Settings\Timothy\Cookies\timothy@fastclick[2].txt
C:\Documents and Settings\Timothy\Cookies\timothy@casalemedia[1].txt
C:\Documents and Settings\Timothy\Cookies\timothy@adopt.euroclick[2].txt
C:\Documents and Settings\Timothy\Cookies\timothy@questionmarket[1].txt
C:\Documents and Settings\Timothy\Cookies\timothy@adrevolver[2].txt
C:\Documents and Settings\Timothy\Cookies\timothy@media6degrees[1].txt
C:\Documents and Settings\Timothy\Cookies\timothy@trafficmp[1].txt
C:\Documents and Settings\Timothy\Cookies\timothy@imrworldwide[2].txt
C:\Documents and Settings\Timothy\Cookies\timothy@ads.revsci[2].txt
C:\Documents and Settings\Timothy\Cookies\timothy@advertising[2].txt
C:\Documents and Settings\Timothy\Cookies\timothy@doubleclick[2].txt
C:\Documents and Settings\Timothy\Cookies\timothy@adserver.adreactor[2].txt
C:\Documents and Settings\Timothy\Cookies\timothy@ad.yieldmanager[2].txt
C:\Documents and Settings\Timothy\Cookies\timothy@ads.revsci[1].txt
C:\Documents and Settings\Timothy\Cookies\timothy@adserver.adreactor[1].txt
C:\Documents and Settings\Timothy\Cookies\timothy@atdmt[2].txt
C:\Documents and Settings\Timothy\Cookies\timothy@bs.serving-sys[1].txt
C:\Documents and Settings\Timothy\Cookies\timothy@clicktorrent[1].txt
C:\Documents and Settings\Timothy\Cookies\timothy@doubleclick[1].txt
C:\Documents and Settings\Timothy\Cookies\timothy@overture[1].txt
C:\Documents and Settings\Timothy\Cookies\timothy@realmedia[2].txt
C:\Documents and Settings\Timothy\Cookies\timothy@server.iad.liveperson[1].txt
C:\Documents and Settings\Timothy\Cookies\timothy@server.iad.liveperson[3].txt
C:\Documents and Settings\Timothy\Cookies\timothy@serving-sys[2].txt
C:\Documents and Settings\Timothy\Cookies\timothy@statcounter[2].txt
C:\Documents and Settings\Timothy\Cookies\timothy@tribalfusion[2].txt







However, if it is helpful these are copies of the logs from around the time I was first infected about two weeks ago:



Malwarebytes' Anti-Malware 1.12
Database version: 786

Scan type: Quick Scan
Objects scanned: 40865
Time elapsed: 37 minute(s), 37 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 10
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\devqjmxm\rshsrkre.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\WINDOWS\winself.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\nvrsma.dll (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecurity1.209.4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\uninstall (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\wkey (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\B0Ux62Z1rk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Installer (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runner1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchURL (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\158117 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\devqjmxm\rshsrkre.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\7K5FHVKC\mywehfoto[1].htm (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Timothy\Application Data\Microsoft\dtsc\32746.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nvrsma.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\lfn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\winself.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\mrofinu1645.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntpl.bin (Trojan.Agent) -> Quarantined and deleted successfully.



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/26/2008 at 01:15 AM

Application Version : 4.1.1046

Core Rules Database Version : 3468
Trace Rules Database Version: 1459

Scan type : Complete Scan
Total Scan Time : 02:58:15

Memory items scanned : 158
Memory threats detected : 0
Registry items scanned : 7237
Registry threats detected : 31
File items scanned : 330884
File threats detected : 53

Parasite.CoolWebSearch Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22}
C:\WINDOWS\OLEHELP.EXE

HTMLCore Module BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85}

CoolWebSearch Parasite Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}

Adware.CoolWebSearch
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3}

Browser Hijacker.Tubby
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306}

ClientMan BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb}

Trojan.DNSChanger-Codec
HKLM\Software\1
HKLM\Software\1#31AC70412E939D72A9234CDEBB1AF5867B
HKLM\Software\1#31897356954C2CD3D41B221E3F24F99BBA
HKLM\Software\1#31C2E1E4D78E6A11B88DFA803456A1FFA5
HKLM\Software\6
HKLM\Software\6#31AC70412E939D72A9234CDEBB1AF5867B
HKLM\Software\6#31897356954C2CD3D41B221E3F24F99BBA
HKLM\Software\6#31C2E1E4D78E6A11B88DFA803456A1FFA5
HKLM\Software\7
HKLM\Software\7#31AC70412E939D72A9234CDEBB1AF5867B
HKLM\Software\7#31897356954C2CD3D41B221E3F24F99BBA
HKLM\Software\7#31C2E1E4D78E6A11B88DFA803456A1FFA5
HKLM\Software\8
HKLM\Software\8#31AC70412E939D72A9234CDEBB1AF5867B
HKLM\Software\8#31897356954C2CD3D41B221E3F24F99BBA
HKLM\Software\8#31C2E1E4D78E6A11B88DFA803456A1FFA5
HKLM\Software\9
HKLM\Software\9#31AC70412E939D72A9234CDEBB1AF5867B
HKLM\Software\9#31897356954C2CD3D41B221E3F24F99BBA
HKLM\Software\9#31C2E1E4D78E6A11B88DFA803456A1FFA5

Trojan.Fake-Drop/Gen
C:\WINDOWS\ACCESSS.EXE
C:\WINDOWS\AVPCC.DLL
C:\WINDOWS\CLRSSN.EXE
C:\WINDOWS\CPAN.DLL
C:\WINDOWS\CTFMON32.EXE
C:\WINDOWS\CTRLPAN.DLL
C:\WINDOWS\DIRECTX32.EXE
C:\WINDOWS\DNSRELAY.DLL
C:\WINDOWS\EDITPAD.EXE
C:\WINDOWS\EXPLORE.EXE
C:\WINDOWS\EXPLORER32.EXE
C:\WINDOWS\FUNNIEST.EXE
C:\WINDOWS\FUNNY.EXE
C:\WINDOWS\GFMNAAA.DLL
C:\WINDOWS\HELPCVS.EXE
C:\WINDOWS\IEDLL.EXE
C:\WINDOWS\INETINF.EXE
C:\WINDOWS\INTERNET.EXE
C:\WINDOWS\MSCONFD.DLL
C:\WINDOWS\MSSPI.DLL
C:\WINDOWS\MSSYS.EXE
C:\WINDOWS\MSUPDATE.EXE
C:\WINDOWS\MSWSC10.DLL
C:\WINDOWS\MSWSC20.DLL
C:\WINDOWS\MTWIRL32.DLL
C:\WINDOWS\NOTEPAD32.EXE
C:\WINDOWS\QTTASKS.EXE
C:\WINDOWS\QUICKEN.EXE
C:\WINDOWS\RUNDLL16.EXE
C:\WINDOWS\SEARCHWORD.DLL
C:\WINDOWS\SISTEM.EXE
C:\WINDOWS\SVCHOST32.EXE
C:\WINDOWS\SVCINIT.EXE
C:\WINDOWS\TIME.EXE
C:\WINDOWS\USERS32.EXE
C:\WINDOWS\WAOL.EXE
C:\WINDOWS\WIN32E.EXE
C:\WINDOWS\WIN64.EXE
C:\WINDOWS\WINAJBM.DLL
C:\WINDOWS\WINDOW.EXE
C:\WINDOWS\WINMGNT.EXE
C:\WINDOWS\X.EXE
C:\WINDOWS\XPLUGIN.DLL
C:\WINDOWS\Y.EXE

Trojan.Unclassified/IExplorer-Fake
C:\WINDOWS\IEXPLORER.EXE

Trojan.Unclassified/Loader-Suspicious
C:\WINDOWS\LOADER.EXE

Trojan.Downloader-Systeem
C:\WINDOWS\SYSTEEM.EXE

Trojan.Vundo-Variant/F
C:\WINDOWS\SYSTEM32\AZIPCONTMN.DLL
C:\WINDOWS\SYSTEM32\SYSFOLDERAZIPCNT.DLL

Trojan.Downloader-Gen
C:\WINDOWS\SYSTEM32\STU.DLL

Rogue.Multi-Dropper/Installer
C:\WINDOWS\SYSTEM32\VBPDTVDP.EXE

Trojan.Downloader-SystemCritcial/Fake Alert
C:\WINDOWS\SYSTEMCRITICAL.EXE





OK, thanks for your help!!

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:37 AM

Posted 10 June 2008 - 04:44 AM

Would you please update both programs and rescan, quick scans will do

A lot of changes can happen in 2 weeks

http://www.bleepingcomputer.com/forums/ind...mp;#entry839950

You might even add the ATF cleaner into the mix and use safe mode for it and SAS

I like to update and install my programs and then disconnect from the internet and run a series of scans and cleans for a stubborn infection

Edited by DaChew, 10 June 2008 - 04:49 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:37 AM

Posted 10 June 2008 - 07:21 AM

IMPORTANT NOTE: One or more of the identified infections was a backdoor Trojan. Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge. Read Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the backdoor Trojan was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read "When should I re-format? How should I reinstall?" and "Help: I Got Hacked. Now What Do I Do?".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users