Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus 2008, Blue Screen, Trojans... Removed?


  • Please log in to reply
11 replies to this topic

#1 Shokotan

Shokotan

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 29 July 2008 - 05:04 PM

Hi,

Just earlier today I was being infected by a blue desktop screen that said "Warning! Spyware Detected on Your Computer! Install an antivirus or spyware remover to clean your computer."

As well as something called Antivirus 2008 when I clicked a fake setup.exe. I ran my computer in Safe Mode and deleted it from my Program Files, so now I don't see any sign of it. There was a folder with a lot of random letters and numbers that began with the letter "r" that my virusscan found was infected... and I deleted that from both the Local Disk and Registry, too.

The blue screen was harder to get rid of, but after running some scans and deleting some junk, it seems to be gone now. Before, it had disabled the "Desktop" tab in my Properties. Also, after I login to my Windows account, McAfee VirusScan Enterprise kept giving me a message that said something called "blowfish.dll" was removed... it appeared multiple times.

I ran the free version of Ad-Aware 2008 and it detected "Virtumonde" and "Win32.Worm.AutoRun" and removed them.

I also ran Windows Defender, and it found "Trojan:Win32/Vundo.gen!T", that I believe also got removed after I restarted.

With Spybot Search & Destroy, I removed:

22ndStreetComputers.PS3_fraud (contained registry key)
Microsoft.Windows.System (contained two registry changes)
Virtumonde.dll (contained two files and one registry key)
Virtumonde (contained two registry keys) (two of these)
Win32.Banker.aipy.rtk (one file) (two of these)

And I used RegCleaner to get rid of some suspicious-looking things as well.


So... now it appears that everything is back to normal... but I'm not sure if I got everything. There may still be some hidden infections that I don't know about. I looked up one of the trojans, and it said that it can log keystrokes and screenshots that get sent to a hacker site, so now I'm paranoid. :/

Is there anyway I can check and confirm that I actually got rid of everything?

-- Also, I want to take this chance to add that over the past few days, McAfee randomly pops up saying it deleted something called MSFONT.dll. It warns me about that several times a day, and I have no clue why.

EDIT:

Just a second ago, I got a pop up saying Antivirus 2009 needs to scan my computer... but I "x"ed out of it. Also, I got logged out of my Gmail account because it said someone else logged in from the same browser...? Ok, now I'm getting nervous.

Edited by Shokotan, 29 July 2008 - 05:12 PM.


BC AdBot (Login to Remove)

 


m

#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,570 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:50 PM

Posted 29 July 2008 - 05:32 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Shokotan

Shokotan
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 29 July 2008 - 06:06 PM

I rebooted and here's the log:

Malwarebytes' Anti-Malware 1.23
Database version: 1008
Windows 5.1.2600 Service Pack 2

6:56:26 PM 7/29/2008
mbam-log-7-29-2008 (18-56-26).txt

Scan type: Quick Scan
Objects scanned: 52070
Time elapsed: 12 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 12
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 11
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\amvipkmb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xxyxULcB.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\igikxp.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b71bf2e3-7a75-4e51-bcf5-2f0063a2e3d4} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{b71bf2e3-7a75-4e51-bcf5-2f0063a2e3d4} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bd48c541-364c-4f20-bb14-f51d068056c6} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bd48c541-364c-4f20-bb14-f51d068056c6} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winctrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fb9c6ccc-3fbb-4ca2-acf9-1e7cf2a6726e} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a85f7a6f (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lanmanwrk.exe clean (Backdoor.Qmop) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advap32 (Trojan.Spammer) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxyxulcb -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxyxulcb -> Delete on reboot.

Folders Infected:
C:\Documents and Settings\Crystal Xu\Application Data\rhc7cuj0ev6l (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Crystal Xu\Application Data\rhc7cuj0ev6l\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Crystal Xu\Application Data\rhc7cuj0ev6l\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Crystal Xu\Application Data\rhc7cuj0ev6l\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Crystal Xu\Application Data\rhc7cuj0ev6l\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Crystal Xu\Application Data\rhc7cuj0ev6l\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Crystal Xu\Application Data\rhc7cuj0ev6l\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Crystal Xu\Application Data\rhc7cuj0ev6l\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Crystal Xu\Application Data\rhc7cuj0ev6l\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Crystal Xu\Application Data\rhc7cuj0ev6l\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Crystal Xu\Application Data\rhc7cuj0ev6l\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\xxyxULcB.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\BcLUxyxx.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\BcLUxyxx.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\igikxp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\amvipkmb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bmkpivma.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ishxdvjn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\njvdxhsi.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\lanmanwrk.exe (Backdoor.Qmop) -> Delete on reboot.
C:\WINDOWS\system32\WinCtrl32.dl_ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ejtcysts.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nbsubk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wkbjdisa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Winlu66.sys (Rootkit.Agent) -> Delete on reboot.
C:\Documents and Settings\Crystal Xu\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Crystal Xu\Local Settings\Temp\s1265.php (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lanmandrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:50 AM

Posted 29 July 2008 - 06:44 PM

After so many

Delete on reboot

it's best to run another scan and post that log
Chewy

No. Try not. Do... or do not. There is no try.

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,570 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:50 PM

Posted 29 July 2008 - 06:52 PM

Some of those Backdoors and Rootkits can be very dangerous. I would suggest you change all your passwords immediately from a known clean computer - especially any banking passwords and the like.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 Shokotan

Shokotan
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 29 July 2008 - 07:07 PM

I'm 15 so I don't have any super-important banking information or anything... but I'll try that.

Also, I use an automatic login tool to log into email accounts, etc. I don't actually type anything - I click a button and it logs in for me. With that, can people still steal my passwords?

it's best to run another scan and post that log


I will do that, then, as soon as my updates finish installing...

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:50 AM

Posted 29 July 2008 - 07:27 PM

I don't actually type anything


that's probably even more dangerous, the point is, someone else is in control of your computer and if you had confidental critical financial information, that was already compromised
Chewy

No. Try not. Do... or do not. There is no try.

#8 Shokotan

Shokotan
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 29 July 2008 - 07:32 PM

Oh, I see. I ran another scan...

Malwarebytes' Anti-Malware 1.23
Database version: 1008
Windows 5.1.2600 Service Pack 2

8:31:03 PM 7/29/2008
mbam-log-7-29-2008 (20-31-03).txt

Scan type: Quick Scan
Objects scanned: 51679
Time elapsed: 15 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


^ It was only a Quick Scan though. Should I run a full scan, or am I cured? *hopeful*

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:50 AM

Posted 29 July 2008 - 09:06 PM

You should be, but you need to watch for any symptoms of infection, often times it requires another program or two to find and remove hidden parts that one progrm won't detect. I like to double check with SAS and ATF cleaner from safe mode

http://www.bleepingcomputer.com/forums/ind...mp;#entry839950

Even then you can't be absolutely sure. Death and taxes

http://technet.microsoft.com/en-us/library/cc512587.aspx

backdoors and rootkits are serious
Chewy

No. Try not. Do... or do not. There is no try.

#10 Shokotan

Shokotan
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 30 July 2008 - 05:08 PM

I used ATF, and then I scanned with SAS in safe mode. Here's what SAS found with the full scan:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/30/2008 at 05:49 PM

Application Version : 4.15.1000

Core Rules Database Version : 3469
Trace Rules Database Version: 1460

Scan type : Complete Scan
Total Scan Time : 03:32:48

Memory items scanned : 184
Memory threats detected : 0
Registry items scanned : 6974
Registry threats detected : 0
File items scanned : 121636
File threats detected : 8

Malware.Installer-Pkg/Gen
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{3C48F877-A164-45E9-B9DA-26A049FFC207}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6293BC00-4EB8-4C65-8548-53E2FC3BF937}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{651956B7-1969-42AA-9453-E0B813019D54}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C0A0AA4D-C79B-48CA-8843-2B02B626C9E6}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{D1A6F3FD-7B40-443F-8767-BADB25A0D222}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{E0814F95-5380-4892-B8C8-7FA4B349EF46}.EXE


I hope I'm okay now. I really don't want to reformat my computer... I don't think it's needed. If it was my dad's computer that would be a different story.

Anyway, thanks so much for the help! And if there's anything else I should do, please tell me :thumbsup:

#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,570 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:50 PM

Posted 30 July 2008 - 05:21 PM

If you’re clean, you should create a new Restore Point to prevent possible re-infection from an old one.

Go Start > Programs > Accessories > System Tools and click System Restore. Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name and then click Create. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go Start > Run and type: "Cleanmgr" (without the quotes). Click Ok > More Options tab > Clean Up in the System Restore section to remove all previous restore points except the newly created one.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 Shokotan

Shokotan
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 30 July 2008 - 06:07 PM

I created a new Restore Point, but I don't know how to delete the old ones.

I don't have a More Options tab. :thumbsup:

Edit: Oh wait, nevermind. Sorry.

It's done now. Sorry for my idiocy up there. ;D

Edited by Shokotan, 30 July 2008 - 06:13 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users