Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser All Messed Up Had Some Stuff In My Registry


  • Please log in to reply
16 replies to this topic

#1 gonefishin

gonefishin

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 AM

Posted 31 July 2008 - 04:47 PM

To begin with I had made a previous post and ended up restoring my computer. And im tired of whipeing my computer. and restoring it when this just comes back..........


first off ive ran a bunch of different scans and none of them do any good what so ever.
Ive ran kaspersky , trend , spyware doctor , avast , malwarebytes , superantispyware , a-squared ....
ran some in safe mode , also disabled system restore. all show my computer is clean... But I knew they were all wrong.
since objects on my browser keep moving around and a funny google tool bar has been added . I have pictures of all of this

I found some files in my registry that are made by W32/Mimail.i@MM . see i ended up googleing my trouble and i ended up at a mcafee vrus glossary page. heres the thing nothing is finding a W32/Mimail.i@MM on my computer. but I have W32/Mimail.i@MM registry files . heres an image of the files i had and deleted this is from the mcafee virus glossary

bleeping computer will not allow me to paste any pictures on here . so here is the link to the first
at photobucket with details
http://s231.photobucket.com/albums/ee33/ma...current=big.jpg

and now heres a picture of my tool bar with some details
http://s231.photobucket.com/albums/ee33/ma...nt=pagezzzz.jpg

would like to know how to get my toolbar and internet page back to normal again.

my computer is not up to date by the way. because ive restored the thing 4 or 5 times


I also have a file in my registry it is named bootconf.exe
kinda scared to touch it cause it has the word boot in it. maybe somthun do with computer booting ? I dunno

but from googleing that file the bits ive read says bootconf.exe has to do with homepage hijacking.
but dont wanna touch it till someone more experienced can give me some info

also found another file in the same part of the registry just moments ago fngn.dll
acording to a google search trendmicro says the file is made by TROJ_PSWSYS.E

still dont udnerstand why none of these spyware gadgets or antivrius softwares cant locate this stuff and get rid of it

BY THE WAY ALL OF THIS STUFF SEEMS TO KINDA STAND OUT BECAUSE THE NORMAL STUFF IN THIS PART OF REGISTRY DOESNT HAVE ANY .EXE OR . THIS OR THAT


because the normal stuff is like PAINT , WEATHER, MALWAREBYTES , SONIC , DEEEPBURNER

no .exe or .dll type stuff which makes me thing bootconf.exe is a fake

Edited by gonefishin, 31 July 2008 - 05:44 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:25 AM

Posted 31 July 2008 - 05:40 PM

Hello,please tell us your operating system, Antivirus (the installed active one).I'm not certain from the info above.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 gonefishin

gonefishin
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 AM

Posted 31 July 2008 - 05:51 PM

I dont have any antivirus on here right now. did have kaspersky but took it off. tried different stuff and none of them where finding anything. so I took kaspersky off figured id wait on you guys .

windows xp service pack 2 compaq . amd athlon 64 processor 3500 +
991 mhz , 448 mb of ram

thats all from system properties , general

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:25 AM

Posted 31 July 2008 - 07:06 PM

Hello, I have just read that Trend Micro has just added an update (7/31) that should clear this.
Try running HouseCall on your PC.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 gonefishin

gonefishin
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 AM

Posted 31 July 2008 - 09:53 PM

Followed your instructions and ran housecall it didnt find anything but some cookies

I re ran my spyware doctor again . and it found
Trojan.Agent!sd5


looked at up Trojan.Agent!sd5 . couldnt find much info on it
found a page though . ttp://www.threatexpert.com

and it showed a lil bit about the threat in description it said A code with the rootkit-specific techniques designed to hide the software presence in the system

it also has what other names this goes by as listed by companys liek kaspersky , trend , mcafee and norton

Trojan.Agent!sd5 is listed as Hacktool.Rootkit by [Symantec]
and listed as NTRootKit-J by mcafee


also http://www.threatexpert.com lists the actuall name of the file its self as defLib.sys . looked up more info about rootkits and googled rootkits and found a bleepingcomputer page about rootkits and all the different ones out there . and in the list was defLib.sys.
says its Added by the Troj/NtRootK-CA rootkit.

I rescannd my comp with spyware doctor then downloaded F-secure black . far as i can tell everything seems to be normal .... also from what i read the Prevalence of this paticular rootkit is low.

I still cant believe the great kaspersky couldnt detect the rootkit since it even has its own setting to detect rootkits. thats not good at all ..... kaspersky also has a specific setting for browser security to stop browser hijackings. but as we all know I got
my browser hijacked . and that was while i was running kaspersky

anyways sorry for posting and taken up time. when you guys could have been helping someone else who prolly needed help more than i did.... Didnt know id end up getn it out myself considering Im not that computer smart at all .
but i kept piddling round till I guess my piddling succeeded

Edited by gonefishin, 01 August 2008 - 01:53 AM.


#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:25 AM

Posted 01 August 2008 - 05:03 AM

When you have an infection that's extremely well written code wise, you can never be sure you got rid of it, this article written a few years ago is the best I have ever read about the problem

Sometimes it's better to just reload, that's why I keep SP3 handy and have slipstreamed it into my different install disks

http://technet.microsoft.com/en-us/library/cc512587.aspx
Chewy

No. Try not. Do... or do not. There is no try.

#7 gonefishin

gonefishin
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 AM

Posted 01 August 2008 - 02:01 PM

the time on my computer has suddenly changed . virus or somthing ? I cant get it back normal at all . when i click on the time it pops up and says example right now in my time zone its 1:55 but below on task bar time says 13:55 . also in the date and properties box under the tab marked internet time it says next synchronization at 8/1/2008 13:55 then says an error occured while windows was synchronizing with . but under time zone tab my time zone is set normally . any clues how to get back nomal ?

and seems chewy was right about not getting rid of it....

Edited by gonefishin, 01 August 2008 - 02:06 PM.


#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:25 AM

Posted 01 August 2008 - 03:41 PM

control panel>region and language>customize>time>h:mm:ss tt
Chewy

No. Try not. Do... or do not. There is no try.

#9 gonefishin

gonefishin
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 AM

Posted 02 August 2008 - 05:13 AM

tried it . even read a guide on setting clock. clock is infected will not turn back . ran 20 hour mcafee dos scan didnt do any good ither. Guess I will fork out the money and have a professional clean it for me


Thanks for help

who ever runs forum please close my post

Edited by gonefishin, 02 August 2008 - 05:18 AM.


#10 gonefishin

gonefishin
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 AM

Posted 04 August 2008 - 04:50 PM

Im gonna put this here so for anyone who is having an awfull time with rootkits and those type of things . In the end SDFix was the only thing that got me back to normal and everything running fine. I went through antivirus after antivirus and spyware remover after spyware remover. turns out I had some trojans that when I looked them up googled the files it said the following - polymorphic code to mutate malware - combined with encryption to evade detection

also here is a line from kaspersky on a webpage about trojans

Hackers have begun employing the same techniques with self-mutating Trojan programs, said Eugene Kaspersky, founder of security vendor Kaspersky Lab. Such Trojans are planted on malicious Web sites and can mutate with every download, making them very hard to detect. The result: Each user who visits a Web site infected with such a Trojan can be infected with a different version of the same program.
"We have to develop a special utility to extract this junk out of the malicious code, but it takes time" because each Trojan is a distinct variant, he said. So far, efforts to develop an automated tool for fighting such Trojans have proved "challenging," Kaspersky said.

Im gonna add this. I scanned my computer with antivirus after antivirus, avg, avast, trend,kaspersky, mcafee dos scan which took round 20 hours scanning every file.. mcafee says there dos scan remove any threat no matter how hard to remove (it failed ! ) tried malwarebytes, superantispyware , a squared , ad aware, spybot search destory ... what did do some good spyware doctor was able to locate the rootkit after deleting some files in the registry . F secure found some kinda active x component that it said the rootkit gained entrance to ....... But in the end Sdfix is what finally took care of it and got rid of 5 polymorphic mutateing trojans .......

So in the end Sdfix pulled me out of the danger zone ! so thumbs up to the guy who makes it

Maybe my post can shed some light on how dangerous this stuff is becoming and maybe help some body who is in the same boat

Edited by gonefishin, 04 August 2008 - 04:56 PM.


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:25 AM

Posted 04 August 2008 - 08:39 PM

Thanks for your reply. You should consider the 3rd service pack as it contains further security items for windows. Also, if there are no more signs of infection ...
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 gonefishin

gonefishin
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 AM

Posted 05 August 2008 - 04:06 PM

trouble came back again this morning . now its messing with my pictures when ever i save a picture it turns it into some kind of white file. then adds a picture of a carrot that says Thumbs.db . could do a hijack this log. but I know it takes a while since the hijack team is very busy and could be 5 or more days. and my luck my comp will be back to having so many errors and corupt files may have to restore it again .

#13 gonefishin

gonefishin
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 AM

Posted 05 August 2008 - 05:37 PM

ran a free norton deep scan and it said the following after scan .

C:\WINDOWS\system32\404Fix.exe is infected with IEDefender

googled Iedefender found ended up at a site like bleeping and it had a post
with a moderator saying run some kidna tool to get rid of ran it
now pictures are back to normal........will try as sugested and make a new restore point
got my fingers crossed hope i dont wake up tomorrow with a new trouble

Edited by gonefishin, 05 August 2008 - 05:38 PM.


#14 gonefishin

gonefishin
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 AM

Posted 07 August 2008 - 07:12 PM

came back has somthing new if i left click a file the word sharring and security is shown if i click sharring and security my screen disapears and says error and pops up a windows must now close box . windows has somthun cllaed sharing and security when i click on properties on the same tab it says understand this is a security risk but if you want to share click here. so from what i can gather all my personal information is being shared by a hacker now . all of my efforts delteing rootkits and trojans have became a joke. this hacker is toying with me as soon as i get rid of one of his hidden trojans he just makes another. he prolly has full control over my computer and knows it . dont even see the point of owning a computer any more unless ur a computer egg head you dont stand a chance against a real hacker all of this antivirus software has been the biggest joke ive ever seen none of it does any good .

Edited by gonefishin, 07 August 2008 - 07:18 PM.


#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:25 AM

Posted 07 August 2008 - 07:50 PM

You will need to post a HiJack log in that forum and have the experts clear it out.
I would keep this of the internet as much as poosible til then. Also if you have any personal and financial info on this PC I would consder changing all that after you are cleaned.
What A/V and firewall do you regularly use?

Please follow the instructions in this tutorial for posting a HijackThis Log.

Preparation Guide for use before posting a HijackThis Log

After you have created it,post the log here HijackThis Logs and Malware Removal and NOT in this topic,thanks.

Click on New Topic and copy/paste the entire log into the reply. Give it a relevant title.
Once you have posted the log DO NOT reply to it or change it until contacted or advised to do so by the HJT Team tech.
Should you have any other questions about this ask those here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users