Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Downloaded "fees_2008-2009" Attachment From Spam Email - Whoops..


  • Please log in to reply
3 replies to this topic

#1 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:24 AM

Posted 25 August 2008 - 05:36 PM

Hi. As mentioned in descript, I'm trying to clean up my PC of any leftovers that may still be on system from an infection due to the following file: "fees_2008-2009_____________.doc.exe".

When I downloaded file to desktop, and opened it (bad idea should have thought twice) - Avast 4.8 pointed out to me via popups that this file contained many trojans. I either moved the files to chest or deleted depending on what it would lt me do. Also Comodo Firewall Pro at same time gave me several popups; warning me that the file was trying to change drivers in system32 folder. I clicked "block" on each request.

Ran Avast 4.8 - found nothing. Ran Spybot S&D - found 1 file (listed as vunulo or something similar). I clicked the fix it button.

Ran Uniblue Spyeraser v2.0, it found 36 registry keys as being infected. - They were listed as "Malware (General components)". And have been removed. These registry keys were as follows:

1) hkey_current_user\software\microsft\windows\currentversion\internetsettings\zonemap\domains\...

The different endings:

...\1987324.com\www
\awmdabest.com
\blazefind.com
\clickspring.net
\crazywinnings.com
\elitemediagroup.net
\master69.biz\www
\media-motor.net
\mt-download.com
\neededware.com
\scoobidoo.com
\searchbarcash.com
\searchmiracle.com
\sgrunt.biz\www
\skoobidoo.com
\slotch.com
\slotchbar.com
\topconverting.com

2) hkey_local_machine\software\microsft\windows\currentversion\internetsettings\zonemap\domains\...

...\awmdabest.com
\blazefind.com
\clickspring.net
\crazywinnings.com
\mt-download.com
\scoobidoo.com
\slotch.com
\slotchbar.com
\topconverting.com
\windupdates.com
\xxxtoolbar.com
\ysbweb.com

Plus this reg key as well:

hkey_local_machine\software\microsft\windows\currentversion\image file execution options\explorer.exe

But this binded nasty executable file on the desktop (still in same place from original download) was refusing to be deleted by me, and detected by what software I'd tried so far. So I thought about online scanners I knew, and ran Panda active scan v2.0, and it found more infections - maybe 8? (and dealt with them).

I restarted PC to see what effect all this had on system. .. Not good - got to windows login screen after it flickered on :thumbsup: , mouse and keyboard didn't produce ouput on screen :flowers:. With my limited knowledge of computers, I thought this could be due to a driver problem - eg some system drivers gone corrupt/deleted perhaps due to scans etc?

I decided best way to get my PC back up and running fine was to repair the current OS installation on hard drive. After restarting and activating OS, and PC running fine, I downloaded and ran an Ad-aware scan (thorough, all drives) and found nothing.

I tried renaming the unzipped folder (that file was sitting inside) on desktop. That worked along with its move to recycle bin, and subsequent deletion, so I thought I might be getting somewhere?

I have done a hijackthis log, and can attach in a following post if required.

If someone could point me in right direction of where I need to go or tell me steps for eradicating all nasties that would be great. -- I would like a clean system please :trumpet:.

Thanks

Dev.

System specs:
Windows XP Pro SP3
ASUS P5N-D
Intel 3GHz core2Duo E6850

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:24 AM

Posted 25 August 2008 - 09:01 PM

Hello. Ok Before we post that HJT log if we have to ,would you run this tool please. If you have the Teatimer option enabled in SpyBot either disable it for now or allow all the changes it asks.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Reagardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 dev00790

dev00790

    Bleeping Chocoholic

  • Topic Starter

  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:24 AM

Posted 30 August 2008 - 05:59 PM

Hi. Sorry for slow reply. I did a full reinstall of Win XP Pro OS, as was still having issues, PC is working much better now.

Log shown below.

Malwarebytes' Anti-Malware 1.25
Database version: 1099
Windows 5.1.2600 Service Pack 3

11:55:22 PM 8/30/2008
mbam-log-08-30-2008 (23-55-22).txt

Scan type: Quick Scan
Objects scanned: 41355
Time elapsed: 1 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:24 AM

Posted 30 August 2008 - 09:54 PM

Sometimes that is the best solution. Thanks for telling us.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users