Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus, Red Toxic Wallpaper, Antivirus 2008..


  • Please log in to reply
11 replies to this topic

#1 eert

eert

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 22 June 2008 - 05:50 AM

Help, I've got some sort of virus! My background has turned red with "your privacy is in danger, download privacy protection software now".

I can't access my computer files, my task manager is apparently disabled, i get this pop up constantly: "Windows has detected an Internet attack attempt... Somebody's trying to infect your PC with spyware or harmful viruses. Run full system scan now to protect your PC from Internet attacks, hijacking attempts and spyware! Click here to download spyware remover for total protection." and when i try using the internet, i can't navigate from the antivirus 2008 page. HELP!

I've been looking at threads here with similar problems but the thing is, the advice people give is to download certain things and run them to get rid of it.

Sounds simple right? but when i try to go to the links on my other computer (the infected one), it won't navigate to those links using IE, so how am i supposed to download any fix links?

I then tried using firefox, it works and goes to other pages but i can't download the software to my desktop, it just says "would you like to save this file? yes/no" and then saves to my external harddrive (H:), i tried to play with the options on firefox and set it to save in a different location but when i click on browse, nothing happens. I also tried to click on the option to ask me where to save each time but when i go to save it, it doesn't ask me an continues to save on (H:)

I have no idea what to try next

BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 22 June 2008 - 06:00 AM

Do part 1 of 2 of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

If you can't do this in Normal Mode, please try it in Safe Mode.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA

Posted 22 June 2008 - 07:23 AM

I've been looking at threads here with similar problems but the thing is, the advice people give is to download certain things and run them to get rid of it.

You should not be following specific instructions provided to someone else especially if they were given in the HijackThis forum. Those instructions were given under the guidance of a trained staff expert to help fix that particular member's problems, NOT YOURS. Before taking any action, the helper must investigate the nature of the malware issues and then formulate a fix for the victim. Although your problem may be similar, the solution could be different based on the kind of hardware, software, system requirements, etc. and the presence of other malware. Using someone else's fix instructions could lead to disastrous problems with your operating system. It's best that you tell us what specific issues YOU are having rather than point to someone else.

...so how am i supposed to download any fix links?

Download any programs you are asked to use from another computer and save them to a flash (usb, pen, thumb, jump) drive or CD. Then transfer directly to the infected computer where you can use them. Also download MBAM and follow these instructions:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Acan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Instructions with screenshots if needed.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 eert

eert
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 22 June 2008 - 07:51 AM

Thanks for the replies and sorry for taking so long to reply :thumbsup:

here's my log from malwarebytes

Malwarebytes' Anti-Malware 1.17
Database version: 846

03:19:48 24/06/2008
mbam-log-6-24-2008 (03-19-48).txt

Scan type: Quick Scan
Objects scanned: 40065
Time elapsed: 11 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 11
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\geBspqRL.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\xwxkntxe.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\wpvmqosg.dll (Trojan.Zlob) -> Unloaded module successfully.
C:\WINDOWS\system32\mlJCTKdc.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e204d2ad-db93-4033-99f0-ddfebb75f66d} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e204d2ad-db93-4033-99f0-ddfebb75f66d} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0f09fc57-40e5-4c9f-8ff4-40be5d4a8502} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{988dfab1-2308-45ff-a156-2f258eb6a40c} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{51530505-e0b8-4207-984b-30d85f942bf2} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51530505-e0b8-4207-984b-30d85f942bf2} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljctkdc (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\382c4609 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\wpvmqosg (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{51530505-e0b8-4207-984b-30d85f942bf2} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\gebspqrl -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\gebspqrl -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\geBspqRL.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\LRqpsBeg.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\LRqpsBeg.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xwxkntxe.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\extnkxwx.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\extnkxwx.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\wpvmqosg.dll (Trojan.Zlob) -> Delete on reboot.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxywXnkl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRigFyX.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJCTKdc.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Tempboome20.exe (Trojan.Agent) -> Quarantined and deleted successfully.

#5 eert

eert
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 22 June 2008 - 07:53 AM

I'm still getting the antivirus 2008 popups but the wallpaper and a few other smaller popups have gone away, what can i try next? thanks

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:56 PM

Posted 22 June 2008 - 08:57 AM

Would you post the scan from smitfraudfix?

You have rebooted to finish the cleanup from MBAM?
Chewy

No. Try not. Do... or do not. There is no try.

#7 eert

eert
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 22 June 2008 - 09:13 AM

Yeah I even scanned again after i rebooted until the scan came out completely clear, but that antivirus2008 thing is still there.

I'll do that smitfraudfix right away and post the results here.

#8 eert

eert
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 22 June 2008 - 09:19 AM

SMITFRAUDFIX Results:

SmitFraudFix v2.328

Scan done at 5:11:11.87, 24/06/2008
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\System32\atwtusb.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PENSOFT\Quick95.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\WTablet\TabUserW.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\Owner


C:\Documents and Settings\Owner\Application Data


Start Menu


C:\DOCUME~1\Owner\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



VACFix
!!!Attention, following keys are not inevitably infected!!!



404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~2\\GOEC62~1.DLL,wbsys.dll,"


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


Rustock



DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{E08A0B3F-DC33-4080-8397-37314DE72C22}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{44BCEC53-B47B-4A68-8369-7D94DC36789D}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E08A0B3F-DC33-4080-8397-37314DE72C22}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E08A0B3F-DC33-4080-8397-37314DE72C22}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Scanning for wininet.dll infection


End

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:56 PM

Posted 22 June 2008 - 09:31 AM

Would you update MBAM to the latest version and latest definitions please, this is a relatively new infection
Chewy

No. Try not. Do... or do not. There is no try.

#10 eert

eert
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 22 June 2008 - 10:16 AM

I just updated then tried again and it finally found the antivirus file! it worked and it's now been removed! thanks very much for your help!! :D

#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:56 PM

Posted 22 June 2008 - 10:47 AM

I am sure Quietman7 would like you to post that last log please
Chewy

No. Try not. Do... or do not. There is no try.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:56 PM

Posted 22 June 2008 - 01:51 PM

Yes, please post the last MBAM log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users