Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Iftuyszv.exe, Trojandownloader & Coolwebsearch


  • Please log in to reply
13 replies to this topic

#1 csiagent

csiagent

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indy
  • Local time:01:19 PM

Posted 30 June 2008 - 08:33 AM

Hi, please bear with me as I, like others, am not very technical.

My computer is infected with "trojandownloader.xs", "coolwebsearch" and something about "IFTUYSZV.exe". I'm not sure about the last one being a .exe but it is giving me a big problem. My wallpaper is gone and the screen is now blue and has a warning message on it, it says "Warning your computer is infected with spyware install an anti virus or spyware remover" and now I get these pop ups of spyware to purchase and a RED Windows Warning every 2 minutes saying there is another infected file with the file name attached. The Task Manager has somehow been disabled and I use Spybot Search and Destroy but there is nothing more it can do at this point.

I have read many previous posts and 1 or 2 that seem very similar to my problem as well but I, like others, do not want to run any diagnostic tools, etc, without some sort of supervision from the moderators or the HijackThis Team.

I am running Windows XP Pro edition and also have an external hard drive that I believe to be infected as well, sadly the external HDD is where I store and archive all of my important pix and files.

Please any help with this would be greatly appreciated and I Thank You in advance.

csiagent

Edited by Orange Blossom, 30 June 2008 - 04:47 PM.
Move to more appropriate forum. ~ OB

Those who watch with indifference the attacks upon their neighbors, fall into degeneracy themselves.

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:19 AM

Posted 30 June 2008 - 05:38 PM

Run the following fix:

How to remove CoolWebSearch with CWShredder

After that run a full system scan with Malwarebytes' Anti-Malware.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 csiagent

csiagent
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indy
  • Local time:01:19 PM

Posted 01 July 2008 - 12:54 AM

Thanks Budapest for your help.

I can no longer reach the bleepingcomputer website from my infected computer and it has completely disabled my Firefox browser. I can still get on using Internet Explorer but it redirects all of my attempts to come here to tons of ads. I'm really worried that I may lose my whole system, sometimes it won't even let me boot up and when it does I can't do much once I'm on. Any help or advice on how to get this mess cleaned up?

I can't get the CWShredder or anything else if I can't get to this website or any other decent website. I'm having to use a different computer now to reply with.
Those who watch with indifference the attacks upon their neighbors, fall into degeneracy themselves.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:19 AM

Posted 01 July 2008 - 01:06 AM

Try downloading CWShredder on a clean computer and then transfer it to the problem computer on a CD or pen drive.

Also, while you're at it you could also download the following two tools (on the clean computer) and run them in Safe Mode.

Dr.Web CureIt!
http://freedrweb.com/cureit/

McAfee Avert Stinger
http://vil.nai.com/VIL/stinger/

How to start Windows in Safe Mode
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 csiagent

csiagent
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indy
  • Local time:01:19 PM

Posted 02 July 2008 - 07:52 AM

I did as you said and was able to run the specific programs on the infected computer. The CWShredder quickly found nothing which I thought was strange.

The Malware, Dr. Web, and Stinger programs found quite a bit and either "moved" the infected files or was able to delete them. Now my desktop wall paper is a white screen with a Windows Warning saying that my desktop has been changed and to change it back click the button below, and there is a large button to click (I have not clicked the button) and under that it goes on to talk more about other problems, it also has a big blue Yield sign emblem on it with an exclamation point inside the emblem, this screen is something I have never seen before.

The good news is that Firefox seems to be working again and I was able to run a scan using Spysweeper which I could not do before. It only found one problem and was able to fix it. Obviously there is still quite a bit wrong or at least things that need to be repaired to get my computer back to normal but I feel a little better after running the scans you mentioned, I am very grateful for your help.
Those who watch with indifference the attacks upon their neighbors, fall into degeneracy themselves.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:19 PM

Posted 02 July 2008 - 08:11 AM

My computer is infected with "trojandownloader.xs", "coolwebsearch" and something about "IFTUYSZV.exe".

Those were probably all bogus alerts created by a rogue security program. Coolwebsearch is an older infection.

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix". This program is for Windows 2000/XP ONLY.
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
-- Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.

When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet.

Rescan again with MBAM, click the Logs tab and copy/paste the contents of the new report in your next reply. Make sure you update to the most current database before scanning again. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 csiagent

csiagent
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indy
  • Local time:01:19 PM

Posted 02 July 2008 - 05:48 PM

The SDFix Log:


SDFix: Version 1.199
Run by Administrator on Wed 07/02/2008 at 05:48 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
C:\WINDOWS\B.EXE - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\WINDOWS\b.exe - Deleted
C:\WINDOWS\system32\n.bat - Deleted
C:\WINDOWS\megavid.cdt - Deleted
C:\WINDOWS\muotr.so - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\hljwugsf.bin - Deleted
C:\WINDOWS\system32\unsvchosts.lzma - Deleted



Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed
Folder C:\WINDOWS\system32\f10 - Removed
Folder C:\WINDOWS\system32\vec3 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-02 17:51:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"F:\\My Adobe Creative Suite 2\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"="F:\\My Adobe Creative Suite 2\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe:*:Enabled:Adobe Version Cue CS2"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"F:\\StubInstaller.exe"="F:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"F:\\New Folder\\LimeWire\\LimeWire.exe"="F:\\New Folder\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"F:\\Limewire\\LimeWire\\LimeWire.exe"="F:\\Limewire\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"F:\\Limewire-1\\LimeWire\\LimeWire.exe"="F:\\Limewire-1\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"F:\\LimeWire\\LimeWire.exe"="F:\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"F:\\LimeWire\\root\\LimeWire.exe"="F:\\LimeWire\\root\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\VVission Conference\\Conference.exe"="C:\\Program Files\\VVission Conference\\Conference.exe:*:Enabled:Audio/Video Conference by KIOSK Team"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Free SMTP Server\\localsrv.exe"="C:\\Program Files\\Free SMTP Server\\localsrv.exe:*:Enabled:localsrv"
"C:\\Program Files\\Conference\\Conference.dll"="C:\\Program Files\\Conference\\Conference.dll:*:Enabled:Audio/Video Conference by KIOSK Team"
"C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe:*:Enabled:BearShare"
"C:\\Program Files\\BearFlix\\bearflix.exe"="C:\\Program Files\\BearFlix\\bearflix.exe:*:Enabled:BearFlix"
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe:*:Enabled:QuickTime Player"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Mon 30 Jun 2008 98,816 ..SHR --- "C:\WINDOWS\system32\actskn45m.exe"
Sat 25 Feb 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 17 Nov 2004 94,458 ...H. --- "C:\Program Files\Nero\data\Nero PhotoShow Express.exe"
Fri 28 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 6 Jan 2007 90,112 A..H. --- "C:\Documents and Settings\Scott Smith\My Documents\GDI\~WRL0004.tmp"
Sun 9 Dec 2007 0 ...H. --- "C:\Documents and Settings\Scott Smith\Application Data\Microsoft\Word\~WRL0005.tmp"
Tue 11 Apr 2006 2,461,696 A..H. --- "C:\Documents and Settings\Scott Smith\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

---------------------------------------------------------------------------------------------------------------------------------------------
And the MBAM Log:


Malwarebytes' Anti-Malware 1.19
Database version: 899
Windows 5.1.2600 Service Pack 2

6:41:11 PM 7/2/2008
mbam-log-7-2-2008 (18-41-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 93502
Time elapsed: 17 minute(s), 37 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
C:\Documents and Settings\Scott Smith\lsass.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LSA Shellu (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\rootmdmm.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ddcyYsPj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Scott Smith\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.


Thanks
Those who watch with indifference the attacks upon their neighbors, fall into degeneracy themselves.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:19 PM

Posted 02 July 2008 - 06:00 PM

One or more of the identified infections was related to a rootkit component. Rootkits are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read "When should I re-format? How should I reinstall?" and "Help: I Got Hacked. Now What Do I Do?".

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let me know how you wish to proceed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 csiagent

csiagent
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indy
  • Local time:01:19 PM

Posted 02 July 2008 - 07:04 PM

Thanks for the warnings. I have changed all my passwords from another cpmputer and would like to salvage what I can that is not going to be a threat and go ahead with wiping this system clean. I would like to do this in an attempt to be able to re-use this computer. Question: After reinstalling the OS fresh again will this system be trustworthy? If so I would like to do that.
Those who watch with indifference the attacks upon their neighbors, fall into degeneracy themselves.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:19 PM

Posted 02 July 2008 - 08:42 PM

Your decision as to what action to take should be made by reading and asking yourself the questions presented in the "When should I re-format?" and What Do I Do? links I previously provided. Wiping your drive, reformatting, and performing a clean install of the OS removes everything and is the safest action but I cannot make that decision for you.

As I said, should you decide not to do that, we will do our best to help clean the computer of any infections.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 csiagent

csiagent
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indy
  • Local time:01:19 PM

Posted 02 July 2008 - 10:29 PM

I understand what you mean. I only want to know if there are any files (like pictures jpg, wav & mp3 files etc...) that can be salvaged before cleaning the hard drive and doing a complete reinstall and losing all those files.

I want to reformat the disk and start fresh so I know I will have a safe computer again.

My question is about certain files like pictures and music files, do they have a way to carry the virus or backdoor or rootkit? I do Not want for example to take my music and put it on a clean computer and find out that it got infected that way. I simply don't know if wav, jpgs, & mp3 files are susceptible to being carriers and have the potential to do harm. If I can save my pictures and music to another computer before formatting the infected one that would be great, but I understand not doing that if it is not safe.
Those who watch with indifference the attacks upon their neighbors, fall into degeneracy themselves.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:19 PM

Posted 03 July 2008 - 07:17 AM

You can back up all your important documents, data files and photos. You should not backup any .exe files because they may be infected. Some malware may disguise itself by adding and hiding its extension to the existing extension of other files so be sure you take a close look at the full name. I don't see any evidence in your case but I like to err on the side of caution. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 csiagent

csiagent
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indy
  • Local time:01:19 PM

Posted 03 July 2008 - 07:33 AM

Thanks Quietman.

Do I need to post in a different topic/forum to get help with the reformatting process?

My hard drive is partitioned in half. One side Windows XP, one side Kubuntu. I am guessing I will lose Linux as well.
Those who watch with indifference the attacks upon their neighbors, fall into degeneracy themselves.

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:19 PM

Posted 03 July 2008 - 07:44 AM

If you need additional assistance with reformatting, you can start a new topic in the Windows XP Home and Professional forum.

These links include step by step instructions:
"Clean Install Windows XP".
"Reformat & Clean Install Windows".
"XP Clean Install Interactive Setup".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users