Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Alert! In System Tray, Pop-ups, No Longer Adminstrator


  • Please log in to reply
6 replies to this topic

#1 TimmyJ

TimmyJ

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 16 July 2008 - 01:06 PM

Hi I am having a problem with my computer. It happened yesterday. Every now and then I get "Virus Alert!" in system tray as well as white X with a red circled background. Also there are 3 links or programs on my desktop (Error Cleaner, Privacy Protector and Spyware&Protection). However that is only half of it. I initially had my C and D drives missing in My Computer as well as when I go to "Start" the All Programs tab is sometimes missing and most of the icons on the right hand side are gone. As well as the ability to "Run". I have just got a pop-up with the heading Windows Security Alert, which states:

Windows has detected an Internet attack attempt...
Somebody's trying to infect your PC with spyware or harmful viruses. Run full scan now to protect your PC from Internet attacks, hijacking attempts and spyware! Click here to download spyware remover for total protection.

Another pop-up saying:
Security Warning!

Worm.Win32.NetBooster detected on your machine. This virus is distributed via the Internet through e-mail and EXE and Active-X objects. The Worm has its own SMTP which means it gathers e-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data.
This process process should be removed from your system.

Type: Virus
System Affected: Windows 2000, NT, ME, XP, Vista
Security Risk (0-5): 5
Recommendations: Click yes to remove it from your PC immediately.

I have ran AVG anti-virus as well as AVG spyware and deleted infections (or quarantined)

I read on here about Malwarebytes' Anti-Malware so I installed and ran it. It removed the icons but they were back after reboot. I also followed the tips for ComboFix which temporarily allowed me to use the Run command.

On top of that, if I CTRL+ALT+DELETE i get a message stating that task manager has been disabled by your administrator. REGEDIT has also been disabled.

Please help if you can. :'(

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 16 July 2008 - 04:12 PM

Hello there, welcome to BleepingComputer :thumbsup:

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Download SmitfraudFix (by S!Ri)
Open the file and it will extract the contents (a folder named SmitfraudFix) to your Desktop.

Reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Once in Safe Mode, open the SmitfraudFix folder again.
Double-click smitfraudfix.cmd.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.

Please include rapport.txt in your next reply.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 mbill444

mbill444

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 16 July 2008 - 04:59 PM

What happenes if the virus doen't allow you to install any programs from desktop, cd, or flash drive? What can you do?

#4 TimmyJ

TimmyJ
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 16 July 2008 - 06:15 PM

Hi firstly thank you for fast reply. Ok here's is what my rapport.txt file says:

SmitFraudFix v2.329

Scan done at 0:03:38.10, 17/07/2008
Run from C:\Documents and Settings\Compaq_Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

VACFix



Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\DOCUME~1\COMPAQ~1\Desktop\Error Cleaner.url Deleted
C:\DOCUME~1\COMPAQ~1\Desktop\Privacy Protector.url Deleted
C:\DOCUME~1\COMPAQ~1\Desktop\Spyware?Malware Protection.url Deleted
C:\DOCUME~1\COMPAQ~1\FAVORI~1\Error Cleaner.url Deleted
C:\DOCUME~1\COMPAQ~1\FAVORI~1\Privacy Protector.url Deleted
C:\DOCUME~1\COMPAQ~1\FAVORI~1\Spyware?Malware Protection.url Deleted

IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{6538C46C-1BBE-4EBA-BBD1-12A6B68572F0}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7EC3FD5B-14A6-4ADE-9433-91986187FCC1}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{93D0FCF1-CD85-44DE-9428-16015535C1A3}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E85C7587-5C3A-467B-A5D4-9F51C673C924}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6538C46C-1BBE-4EBA-BBD1-12A6B68572F0}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS1\Services\Tcpip\..\{93D0FCF1-CD85-44DE-9428-16015535C1A3}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E85C7587-5C3A-467B-A5D4-9F51C673C924}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6538C46C-1BBE-4EBA-BBD1-12A6B68572F0}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7EC3FD5B-14A6-4ADE-9433-91986187FCC1}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{93D0FCF1-CD85-44DE-9428-16015535C1A3}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E85C7587-5C3A-467B-A5D4-9F51C673C924}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6538C46C-1BBE-4EBA-BBD1-12A6B68572F0}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7EC3FD5B-14A6-4ADE-9433-91986187FCC1}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{93D0FCF1-CD85-44DE-9428-16015535C1A3}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E85C7587-5C3A-467B-A5D4-9F51C673C924}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

I assume I did the right thing by rebooting into normal mode?

Thanks

#5 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 17 July 2008 - 03:07 AM

Yep, you did it right.
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#6 TimmyJ

TimmyJ
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 17 July 2008 - 07:53 AM

Hi these are my scan results:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/17/2008 at 01:37 PM

Application Version : 4.15.1000

Core Rules Database Version : 3469
Trace Rules Database Version: 1460

Scan type : Complete Scan
Total Scan Time : 01:07:24

Memory items scanned : 520
Memory threats detected : 2
Registry items scanned : 6298
Registry threats detected : 48
File items scanned : 32377
File threats detected : 17

Adware.Vundo-Variant/J
C:\WINDOWS\EVGRATSM.DLL
C:\WINDOWS\EVGRATSM.DLL
C:\WINDOWS\KVXQMTRE.DLL
C:\WINDOWS\KVXQMTRE.DLL

Trojan.Unclassified/GTS
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{A8160B32-92A5-48CB-839D-D4C5D05054E4}
HKCR\CLSID\{A8160B32-92A5-48CB-839D-D4C5D05054E4}
HKCR\CLSID\{A8160B32-92A5-48CB-839D-D4C5D05054E4}
HKCR\CLSID\{A8160B32-92A5-48CB-839D-D4C5D05054E4}\InprocServer32
HKCR\CLSID\{A8160B32-92A5-48CB-839D-D4C5D05054E4}\InprocServer32#ThreadingModel
HKCR\CLSID\{A8160B32-92A5-48CB-839D-D4C5D05054E4}\ProgID
HKCR\CLSID\{A8160B32-92A5-48CB-839D-D4C5D05054E4}\Programmable
HKCR\CLSID\{A8160B32-92A5-48CB-839D-D4C5D05054E4}\TypeLib
HKCR\CLSID\{A8160B32-92A5-48CB-839D-D4C5D05054E4}\VersionIndependentProgID
HKCR\qndsfmao.1
HKCR\qndsfmao
HKCR\TypeLib\{85648929-03B0-4C51-8A26-37328566258F}
HKCR\TypeLib\{85648929-03B0-4C51-8A26-37328566258F}\1.0
HKCR\TypeLib\{85648929-03B0-4C51-8A26-37328566258F}\1.0\0
HKCR\TypeLib\{85648929-03B0-4C51-8A26-37328566258F}\1.0\0\win32
HKCR\TypeLib\{85648929-03B0-4C51-8A26-37328566258F}\1.0\FLAGS
HKCR\TypeLib\{85648929-03B0-4C51-8A26-37328566258F}\1.0\HELPDIR
C:\WINDOWS\QNDSFMAO.DLL

Unclassified.Oreans32
HKLM\System\ControlSet002\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\ControlSet002\Enum\Root\LEGACY_oreans32
HKLM\System\ControlSet003\Services\oreans32
HKLM\System\ControlSet003\Enum\Root\LEGACY_oreans32
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Driver
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#ActiveService
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

Browser Hijacker.Internet Explorer Settings Hijack
HKU\S-1-5-21-3018113612-3183069559-1171703824-1007\Software\Microsoft\Internet Explorer\Main#Start Page [ http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2 ]

Desktop Hijacker.AboutYourPrivacy
C:\Documents and Settings\Compaq_Administrator\Desktop\Error Cleaner.url
C:\Documents and Settings\Compaq_Administrator\Desktop\Privacy Protector.url
C:\Documents and Settings\Compaq_Administrator\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Compaq_Administrator\Favorites\Error Cleaner.url
C:\Documents and Settings\Compaq_Administrator\Favorites\Privacy Protector.url
C:\Documents and Settings\Compaq_Administrator\Favorites\Spyware&Malware Protection.url

Adware.Tracking Cookie
.hit.stat.pl [ C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\4c80tsv9.default\cookies.txt ]
.apmebf.com [ C:\Documents and Settings\El Familo\Application Data\Mozilla\Firefox\Profiles\xsygir5f.default\cookies.txt ]
.tracking.summitmedia.co.uk [ C:\Documents and Settings\El Familo\Application Data\Mozilla\Firefox\Profiles\xsygir5f.default\cookies.txt ]

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\COMPAQ_ADMINISTRATOR\DESKTOP\UNUSED DESKTOP SHORTCUTS\CLICK TO FIND AND FIX ERRORS.URL

Adware.180solutions/Seekmo/Zango
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP486\A0081908.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP486\A0081912.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP486\A0081913.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP487\A0082026.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP488\A0082697.EXE

Trojan.Net-MSV/VPS-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP494\A0087691.DLL


I had to first go into safe mode at reboot because it wouldn't reboot properly. Also no pop-ups as yet (usually a few by now but not holding my breath lol) The virus alert! is back in system tray, administrational tasks are still unavailable as well as the problem with the "start" problem.

I do realise we are far from done :flowers:

Also just a quick thank you for all your help really appreciate it. :thumbsup:

So what's next? (rubs hands)

#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 20 July 2008 - 03:43 PM

I think in this situation you should consider posting a HijackThis log for analysis from our experts. Please follow our Preparation Guide For Use Before Posting a HijackThis Log; running all of the scans before posting your HijackThis log. Do not post your log here, but instead use our HijackThis Logs and Analysis Forum.
After posting a log you should NOT make further changes to your computer except those that are advised by a member of the HijackThis Team; doing so can cause system changes that may not be visible in your log. Please be patient whilst waiting for a response, our HJT Team is currently very busy, and as we try to deal with logs on a "first come first served" basis, you may have to wait a short while.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users