Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trying To Cleanup From Antivirus Xp 2008 Attack


  • Please log in to reply
5 replies to this topic

#1 JasperCody

JasperCody

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 01 September 2008 - 02:22 PM

I am crying uncle. I give up. I have battled for 4 days. Here it is a holiday, and I've been inside all day still battling. I am stupid - was researching something normal (I was nowhere shady - just informational on a topic) saw a box pop up that I swear had matching identical graphics to my Norton antivirus - fairly new version I had just upgraded to. I looked at it briefly, it wanted to update a driver, said recommended action: always accept. I clicked it. The biggest mistake of my life. Long story short, I knew immedately I had made a really big mistake. The AntiVirus XP 2008 banners came up. I did not click on anything anywhere at that point - knew right away I was hosed with a virus - didn't realize how evil it was. To make it worse, this is what I do for a living. I'm an IT Manager. I am now a VERY compassionate IT Manager. So - I have followed several threads here and have done everything. 2 or 3 times. I have installed and run SmitfraudFix, Revo Uninstaller, MalWarebytes' AntiMalware, AVG 8.0, and several more tools. I can't get rid of new files that keep embedding in C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\ Conten.IE5. There are about 6 of them at the moment. I have been in and out of Safe Mode numerous times. Both in my user login name and Administrator. I don't use the Administrator account for anything. Just this. I am next to tears, and am now gathering all my discs to do a full wipe and reinstall. You are my last resort. Can somebody please help at this point? Thanks.

p.s. have tried deleting the files via cmd prompt, it won't let me. I can see the files, but can't delete them.

Edited by JasperCody, 01 September 2008 - 02:24 PM.


BC AdBot (Login to Remove)

 


m

#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:17 AM

Posted 01 September 2008 - 03:23 PM

Hi JasperCody,

Welcome to BleepingComputer :thumbsup:

We have two options here. We can try reruns of some of the programs you have tried, and add a tool to see if we can fix it here...
or
You can try a more intense cleaning in the HJT forum. The tools used in that forum have to be used only under supervison of a trainned HJT tech.

If you choose to remain here, please update Malwarebytes and post a new log.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Reagardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 JasperCody

JasperCody
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 01 September 2008 - 07:25 PM

Thanks for replying so quickly. I was an inch away from throwing in the disc and reformatting. Probably losing files I would be sorry forever. Okay, I ran Malwarebytes and it found nothing this time. Oddly enough. So I ran AVG 8.0, and it found only one. thing. Here is what it listed:

Virus Name:
Trojan horse Dropper.Bravix.A

Path to File:
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP0\A0001009.dll


I then ran Kaspersky again, and it just found 3 items that are related to SmitfraudFix. Here is the list:


KASPERSKY ONLINE SCANNER 7 REPORT
Monday, September 1, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, September 01, 2008 23:43:34
Records in database: 1175988
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 72102
Threat name: 1
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:20:17


File name / Threat name / Threats count
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\All Users\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\All Users\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

The selected area was scanned.

Here's the same Kaspersky scan from about 9:30ish this morning:

File name / Threat name / Threats count
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\myway[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\contentmodule[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\errdocs_myway_com[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\google_com[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Nancy L. Carlson\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Nancy L. Carlson\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\RECYCLER\S-1-5-21-1788796453-3468427613-2019126298-1007\Dc301.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1

The selected area was scanned.

That is the weird thing about this. I keep running scans, and it keeps finding new things. Just bizarre. Now what I'm wondering is where the heck did the 6 Trojan items go that were just in my C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 this morning at 9:30 a.m.? The DOS command said the directories did not exist when I tried to delete them, but when doing a dir /a, there they were. And I think they are still there. I just went to that directory via the cmd prompt and here's what is showing:

Directory of C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5

09/01/2008 09:46 <DIR> .
09/01/2008 09:46 <DIR> ..
08/31/2008 20:36 <DIR> 4BSPEZOF
09/01/2008 09:46 <DIR> 70RX33LE
04/11/2008 20:07 67 desktop.ini
09/01/2008 09:46 <DIR> I3SFND9O
09/01/2008 09:55 32,768 index.dat
09/01/2008 09:46 <DIR> QBTPXD1H
09/01/2008 09:46 <DIR> ZVBIQEWS
2 File(s) 32,835 bytes
7 Dir(s) 5,040,525,312 bytes free

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5>

Any other scans I could try to be sure I am clean? Nothing shows up in explorer past Local Settings. There's one folder called Temp. This stuff is hidden. Also, I was trying to get to the ZoneAlarm site to download the free firewall, my browser just hangs and won't go there. Otherwise, I seem to be able to go to Internet sites. I upped my security settings to the max. Thanks.

Edited by JasperCody, 01 September 2008 - 07:30 PM.


#4 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:17 AM

Posted 01 September 2008 - 08:14 PM

That is a good sign with 0 Malwarebytes infections!

Lets run the next step in scans. Please follow this procedure... In the mean time - I will be doing some research on your logs. :thumbsup:

Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the
    definitions before scanning by selecting "Check for Updates". (If you encounter
    any problems while downloading the updates, manually download them from
    here and
    unzip into the program's folder.
    )
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under
    Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner
    Options
    , make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose:
    Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp"

ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 JasperCody

JasperCody
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 06 September 2008 - 01:59 PM

I am happy to report that I think my computer is finally truly clean and free from infection. I ran the SuperAntiSpyware first and it only had one tracking cookie. I then ran the ATF cleaner. I ran a Kaspersky scan, and it came out clean for the first time since I got this. Ran a Malwarebytes scan, came out clean. Have run 2 or 3 AVG scans, all coming out clean.

Thank you so much for this great site and for your help. I have since locked down security even more tightly and have added the ZoneAlarm firewall as suggested in one of your other great posts.

If you have been affected by the nasty Antivirus XP 2008, don't give up hope. Keep running the different tools. You'll get there. Follow the instructions from the support techs here. They know their stuff. I think it took 5-6 different anti spyware/malware tools to finally get things cleaned out. Thanks again so very much. :thumbsup:

#6 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:17 AM

Posted 06 September 2008 - 04:00 PM

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.

Safe surfing!

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users