Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desktop Hijacked To Red With Hotlink, Popups


  • Please log in to reply
9 replies to this topic

#1 sm987

sm987

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 18 June 2008 - 10:10 AM

Thank you,

The family computer has recently been bogged down with a virus/malware of some sort and here are some of the things that are happening:

-Desktop has been hijacked to a red color with the text "your privacy settings are compromised. It's highly recommended to install antYspyware solution." I believe the word solution has been changed into some sort of hotlink.

- Multiple popups and bubbles from the taskbar including: "Your computer is working slowly, It is recommended you update your antispyware protection to prevent data loss." and bubbles from "Windows Defender" saying "Internet attack attempt detected" and "Windows Security Manager" stating "Computer is running slowly due to malware activity."

Also its throwing links at me for Antispysider.us (I think I wrote it down correctly, I'm on a different PC).

Actually my problem sounds identical to what is happening in this post Same Problem but I didn't want to bog down the poster with another case in the same topic. I didn't want to start the same course of treatment in case my logs came up with different notices.

Thank you very much.

BC AdBot (Login to Remove)

 


#2 cornzey

cornzey

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 18 June 2008 - 10:31 AM

Have you scanned your computer with any anti-virus/malware?

Download Malwarebytes Anti-Malware from one of the links below:

Download Link 1
Alternative Mirror

Once downloaded run the file, when the installation is complete make sure you are connected to the Internet and you have checked the following:

Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware


Then once the updating is complete, run and quick scan and post the results of the scan.

Hope this helps.

Posted Image

If I'm giving you help and I don't reply within 24 hours PM me with the topic link.



Avast Anti-Virus - Zone Alarm Firewall
Stay Protected.


#3 sm987

sm987
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 18 June 2008 - 11:43 AM

Thanks for your help cornzey. I updated and ran the program as you instructed. Here are the results:

Malwarebytes' Anti-Malware 1.17
Database version: 867

12:32:49 PM 6/18/2008
mbam-log-6-18-2008 (12-32-44).txt

Scan type: Quick Scan
Objects scanned: 36905
Time elapsed: 11 minute(s), 41 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 3
Registry Keys Infected: 43
Registry Values Infected: 3
Registry Data Items Infected: 9
Folders Infected: 13
Files Infected: 93

Memory Processes Infected:
C:\Program Files\webHancer\Programs\whagent.exe (Adware.Webhancer) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\sockins32.dll (Trojan.BHO) -> Unloaded module successfully.
C:\Program Files\webHancer\Programs\whiehlpr.dll (Adware.WebHancer) -> Unloaded module successfully.
C:\Program Files\webHancer\Programs\webhdll.dll (Adware.Webhancer) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{66186f05-bbbb-4a39-864f-72d84615c679} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{66186f05-bbbb-4a39-864f-72d84615c679} (Trojan.BHO) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ffffffff-bbbb-4146-86fd-a722e8ab3489} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffffffff-bbbb-4146-86fd-a722e8ab3489} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\whiehelperobj.whiehelperobj.1 (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c900b400-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c89435b0-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c8cb3870-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2e9caff6-30c7-4208-8807-e79d4ec6f806} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79369d5c-2903-4b7a-ade2-d5e0dee14d24} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a55581dc-2cdb-4089-8878-71a080b22342} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c4f0f9d7-1b93-4b92-8620-ff4b01e2f7de} (Adware.TTC) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4f0f9d7-1b93-4b92-8620-ff4b01e2f7de} (Adware.TTC) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecurity1.209.4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\whiehelperobj.whiehelperobj (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\webHancer (Adware.WebHancer) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebProxy (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\webHancer Agent (Adware.Webhancer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Installer (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL (Hijack.Homepage) -> Bad: (file://c:/windows/homepage.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Secondary_Page_URL (Hijack.Homepage) -> Bad: (file://c:/windows/homepage.html ) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Secondary Start Pages (Hijack.Homepage) -> Bad: (file://c:/windows/homepage.html ) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (file://c:/windows/homepage.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\search page (Hijack.Homepage) -> Bad: (file://c:/windows/homepage.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\search page (Hijack.Homepage) -> Bad: (file://c:/windows/homepage.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (file://c:/windows/homepage.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\webHancer (Adware.Webhancer) -> Delete on reboot.
C:\Program Files\webHancer\Programs (Adware.Webhancer) -> Delete on reboot.
C:\Program Files\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\105772 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\btz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\expo (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inet2 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xrem (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vntiho06 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer1\Application Data\Microsoft\dtsc (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\sockins32.dll (Trojan.BHO) -> Delete on reboot.
C:\Program Files\webHancer\Programs\whiehlpr.dll (Adware.WebHancer) -> Delete on reboot.
C:\Program Files\Windows NT\rydijypo66225.dll (Adware.TTC) -> Quarantined and deleted successfully.
C:\WINDOWS\acdt-pid76.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Temp\ndcdll2.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer1\Local Settings\Temp\mmonHJ.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer1\Local Settings\Temp\syswcc32.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer1\Local Settings\Temporary Internet Files\Content.IE5\B8SV65V0\acdt-pid76[1].exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer1\Local Settings\Temporary Internet Files\Content.IE5\B8SV65V0\snaptor[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\license.txt (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\readme.txt (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\sporder.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\webhdll.dll (Adware.Webhancer) -> Delete on reboot.
C:\Program Files\webHancer\Programs\whagent.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\whagent.ini (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\whinstaller.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\History\search (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\expo\mtcon66225.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer1\Application Data\Microsoft\dtsc\ImTOO.iPod.movie.Converter.2.1.55 KEYGEN-FFF.torrent (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer1\Application Data\Microsoft\dtsc\ImTOO.iPod.movie.Converter.2.1.55 KEYGEN-FFF.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer1\Application Data\Microsoft\dtsc\s (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\explore.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\iexplorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\x.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\y.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\xxxvideo.hta (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\default.htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\svchost32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\loader.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\internet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\homepage.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\promo1.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\promo2.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\promo3.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\promo4.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\promo5.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\promo6.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\promogif1.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\promogif2.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\promogif3.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\accesss.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\astctl32.ocx (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avpcc.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\clrssn.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\cpan.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ctfmon32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ctrlpan.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\directx32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\dnsrelay.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\editpad.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\explorer32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\funniest.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\funny.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\gfmnaaa.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\helpcvs.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\iedll.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\inetinf.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msconfd.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msspi.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mssys.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msupdate.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mswsc10.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mswsc20.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mtwirl32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\notepad32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\olehelp.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\qttasks.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\quicken.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\rundll16.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\rundll32.vbe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\searchword.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\sistem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\svcinit.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\systeem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\systemcritical.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\time.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\users32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\waol.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\win32e.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\win64.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winajbm.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\window.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winmgnt.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\xplugin.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pharma.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\other.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\finance.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\adult.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lt.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\index.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Edited by sm987, 18 June 2008 - 06:34 PM.


#4 sm987

sm987
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 18 June 2008 - 02:29 PM

I forgot to mention in my original post that this computer is running windows xp and had AVG antivirus installed. I tried to use AVG first, and it found problems, but could not remove them (even though it said it did).

Thanks for all of your help,

#5 sm987

sm987
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 19 June 2008 - 10:12 AM

I ran the MBAM again this morning, and here are the results:

Malwarebytes' Anti-Malware 1.17
Database version: 869

11:02:12 AM 6/19/2008
mbam-log-6-19-2008 (11-02-12).txt

Scan type: Quick Scan
Objects scanned: 37172
Time elapsed: 7 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\webHancer (Adware.Webhancer) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)


I'm not sure I am completely clean yet. Should I run smitfraudfix and see what that turns up? or is there an alternate course of treatment that I could try? Thank you very much for all of your help so far.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:33 AM

Posted 19 June 2008 - 11:21 AM

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Also let us know how your computer is running and if there are any more reports/signs of infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 sm987

sm987
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 19 June 2008 - 03:16 PM

Thanks for your reply quietman7. I have followed the directions you have given. Popups have stopped (well, they stopped after the first MBAM scan) and the computer seems to be running better, albiet a bit slow (which could be due to other probs, I can't remember the last time it was defragged).

As you requested, the results of the SUPERAntiSPyware test:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/19/2008 at 03:56 PM

Application Version : 4.15.1000

Core Rules Database Version : 3485
Trace Rules Database Version: 1476

Scan type : Complete Scan
Total Scan Time : 02:47:24

Memory items scanned : 158
Memory threats detected : 0
Registry items scanned : 4608
Registry threats detected : 22
File items scanned : 97905
File threats detected : 15

Adware.RelatedLinks
HKLM\Software\Classes\CLSID\{53BF70AA-5DE4-4471-B9CE-075CF956CDA9}
HKCR\CLSID\{53BF70AA-5DE4-4471-B9CE-075CF956CDA9}
HKCR\CLSID\{53BF70AA-5DE4-4471-B9CE-075CF956CDA9}
HKCR\CLSID\{53BF70AA-5DE4-4471-B9CE-075CF956CDA9}\InprocServer32
HKCR\CLSID\{53BF70AA-5DE4-4471-B9CE-075CF956CDA9}\InprocServer32#ThreadingModel
C:\WINDOWS\LBBHO.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53BF70AA-5DE4-4471-B9CE-075CF956CDA9}

Trojan.NewDotNet
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net#UninstallString
HKU\.DEFAULT\Software\New.net
HKU\S-1-5-21-2176874775-3986856820-335214668-1005\Software\New.net
HKU\S-1-5-18\Software\New.net
HKLM\Software\New.net
HKLM\Software\New.net#Activity
HKLM\Software\New.net#InstalledPath
HKLM\Software\New.net#InstalledVersion
HKLM\Software\New.net#Tag
HKLM\Software\New.net#Prt
HKLM\Software\New.net#Source
HKLM\Software\New.net#Complete
HKLM\Software\New.net#NextUpgradeHi
HKLM\Software\New.net#NextUpgradeLo
C:\Program Files\NewDotNet\nncore.dll
C:\Program Files\NewDotNet\nnrun.exe
C:\Program Files\NewDotNet\readme.html
C:\Program Files\NewDotNet\uninstall.exe
C:\Program Files\NewDotNet
C:\WINDOWS\NDNUNINSTALL4_85.EXE
C:\WINDOWS\NDNUNINSTALL6_38.EXE
C:\WINDOWS\NDNUNINSTALL6_76.EXE
C:\WINDOWS\NDNUNINSTALL6_90.EXE
C:\WINDOWS\NDNUNINSTALL6_98.EXE
C:\WINDOWS\NDNUNINSTALL7_14.EXE
C:\WINDOWS\NDNUNINSTALL7_22.EXE
C:\WINDOWS\NDNUNINSTALL7_48.EXE

Trojan.Unknown Origin
C:\WINDOWS\system32\sn.txt

What should I do next? The program said it quarantined and removed the files. Should I run again in safe mode and see if it picks up anything else again?

Thank you so much for your help,

EDIT: Just as I had finished typing the reply out, I got an error message from my AVG that a threat was detected. Dont know if this is a false positive or something more serious...

Trojan horse Downloader.Generic7.RKZ

found at C:\System Volume Information\_restore{2AD2B242-1E70-421B-A85B-436AF21ADA96}\RP451\A0056495.exe

Edited by sm987, 19 June 2008 - 04:24 PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:33 AM

Posted 20 June 2008 - 06:41 AM

The infected RP***\A00*****.exe file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. This is the feature that allows you to set points in time to roll back your computer to a clean working state. The SVI folder is protected by permissions that only allow the system to have access and is hidden by default unless you have reconfigured Windows to show it.

System Restore will back up the good as well as the bad files so when malware is present on the system it gets included in any restore points as an A00***** file. When you scan your system with anti-virus or anti-malware tools, you may receive an alert or notification that a virus was found in the SVI folder (System Restore points) but the anti-virus software was unable to remove it. Since the SVI folder is a protected directory, most scanning tools cannot access it to disinfect or delete these files. If not removed, they sometimes can reinfect your system if you accidentally use an old restore point.

To remove these file(s), the easiest thing to do is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.

Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

If your computer seems to be slow, read Slow Computer/Browser? Check here first; it may not be malware. There are reasons for slowness besides malware - i.e. disk fragmentation, disk errors, corrupt system files, too many startup programs, unnecessary services running, not enough RAM, dirty hardware components, etc. As your system gets older it becomes filled with more files/programs and has a natural tendency to slow down so cleaning and regular maintenance is essential.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 sm987

sm987
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 20 June 2008 - 09:12 AM

I had forgot to mention that I scanned with AVG A-V right after receiving that error message, and the full scan showed 0 infections.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:33 AM

Posted 20 June 2008 - 09:26 AM

Glad to hear that. Now you can try some of the suggestions to speed up your computer.

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"Best Practices - Internet Safety for 2008".
"Hardening Windows Security - Part 1 & Part 2".
"IE Recommended Minimal Security Settings".
"How to Set Security Options in the Firefox Browser".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users