Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Warning! Your Pc Possible Infected Due To Visiting Exploited (hacked) Site...


  • Please log in to reply
12 replies to this topic

#1 Booga Booga

Booga Booga

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 17 September 2008 - 08:39 PM

This problem has been very persistent and whatever I do I can't seem to get rid of it! I've included screen shots below. The jist of this is whenever I go to a website (doens't really matter which one) i get those errors! I am running Windows XP Service Pack 2. If you would like more information just ask.


http://i16.photobucket.com/albums/b40/boog...galz92/wth2.jpg
http://i16.photobucket.com/albums/b40/boogaboogalz92/wth.jpg

I'm guessing it's the same problem as this guy had...
http://www.bleepingcomputer.com/forums/t/167891/what-if-i-dont-want-to-buy-their-anti-spyware/

Stating that, I've already done what the guy said in post number 2 (with the Malwarebytes' Anti-Malware program)

Here's my log:


Malwarebytes' Anti-Malware 1.28
Database version: 1166
Windows 5.1.2600 Service Pack 2

2008-09-17 20:14:11
mbam-log-2008-09-17 (20-14-11).txt

Scan type: Quick Scan
Objects scanned: 47395
Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{7221E2B7-FFBF-337E-7121-006F0D253BCC} (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\admutilinfo (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\ttecvye\admutilinfo.dll (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\Michael\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.


Any and all help would be very grateful!!

BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,214 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:12 AM

Posted 17 September 2008 - 08:49 PM

Hi, you know it's bogus when you see the grammar they used in link two.
Warning! You infected by this site

Ok good did you do the needed reboot? If not do that. Then check for an update to MBam,rescan and post another log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Booga Booga

Booga Booga
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 17 September 2008 - 08:59 PM

Haha yeah, I just laughed when I saw that.

Did the reboot and doing another scan at the moment....

While I'm waiting though, do you know how to change the clock in the lower right hand screen from Military Time (24 hour) to Normal Time (12 hour) ? That's also been bugging the living daylights out of me.


http://i16.photobucket.com/albums/b40/boog...ilitarytime.jpg




Ohkay well here's the log! It found NOTHING which is either good or bad. Good as in everything's gone... or bad as in it couldn't find anything, but it's still there just hidden. (By the way, so far the message hasn't popped up yet)




Malwarebytes' Anti-Malware 1.28
Database version: 1166
Windows 5.1.2600 Service Pack 2

2008-09-17 20:57:33
mbam-log-2008-09-17 (20-57-33).txt

Scan type: Quick Scan
Objects scanned: 47253
Time elapsed: 3 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,214 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:12 AM

Posted 17 September 2008 - 09:10 PM

Looks good. A couple more things to be sure.

TIME FIX:
To change your time, go to Start , Control Panel and double-click Date, Time, Language and Regional Options.
Note: Depending on your settings (classic view) it may show as Regional and Language Options.

In the Regional Options tab, under Standards and formats click the Customize... button.
Click the Time tab, and then click the down arrow next to the Time format box.
Select: h:mm:ss tt
Click Apply then Ok to exit.


Now scan with SAS

Download Attribune's ATF Cleaner and then SUPERAntiSpyware, Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opers browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post log and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Booga Booga

Booga Booga
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 18 September 2008 - 08:27 PM

thanks a bunch the clock is now back to normal! here's my log... found 2 things





SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/17/2008 at 11:04 PM

Application Version : 4.21.1004

Core Rules Database Version : 3571
Trace Rules Database Version: 1559

Scan type : Complete Scan
Total Scan Time : 01:33:28

Memory items scanned : 166
Memory threats detected : 0
Registry items scanned : 5567
Registry threats detected : 1
File items scanned : 62788
File threats detected : 1

Trojan.Malware
C:\asdf.txt

Trojan.DNSChanger-Codec
HKU\S-1-5-21-1060284298-1390067357-725345543-1003\Software\uninstall

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,214 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:12 AM

Posted 18 September 2008 - 09:25 PM

Since this was a downloader trojan and a large segment of trojan programs download other harmful software components to a user's PC without his/her knowledge.
Let's update and run the MBAM once more. Post that new log. Now carefully follow the instructions to run SDFix. it may come back clean but these DNS types coud allow the intruder access thru the internet to your PC.



Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Booga Booga

Booga Booga
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 18 September 2008 - 10:22 PM

SDFix: Version 1.226
Run by Michael on 2008-09-18 at 10:15 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-18 22:19:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"E:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"="E:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe:*:Enabled:Java™ Platform SE binary"
"C:\\Program Files\\NetXfer\\NetTransport.exe"="C:\\Program Files\\NetXfer\\NetTransport.exe:*:Enabled:NetXfer Download Manager"
"E:\\Program Files\\Steam\\steamapps\\booga_booga\\day of defeat source\\hl2.exe"="E:\\Program Files\\Steam\\steamapps\\booga_booga\\day of defeat source\\hl2.exe:*:Enabled:hl2"
"E:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="E:\\Program Files\\QuickTime\\QuickTimePlayer.exe:*:Enabled:QuickTime Player"
"E:\\Program Files\\Xfire\\xfire.exe"="E:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"
"E:\\Program Files\\Steam\\steamapps\\booga_booga\\day of defeat source beta\\hl2.exe"="E:\\Program Files\\Steam\\steamapps\\booga_booga\\day of defeat source beta\\hl2.exe:*:Enabled:hl2"
"E:\\Program Files\\Gaim\\gaim.exe"="E:\\Program Files\\Gaim\\gaim.exe:*:Enabled:gaim"
"E:\\Program Files\\Steam\\steamapps\\booga_booga\\source sdk base\\hl2.exe"="E:\\Program Files\\Steam\\steamapps\\booga_booga\\source sdk base\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"E:\\Program Files\\iTunes\\iTunes.exe"="E:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Fri 16 May 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:12 AM

Posted 19 September 2008 - 08:11 AM

Did you update MBAM's database as boopme instructed and rescan. If not, please do, perform a new Quick scan in normal mode and then post the results.

If you encounter any problems while downloading the database updates, manually download the updates and just double-click on mbam-rules.exe to install.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Booga Booga

Booga Booga
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 19 September 2008 - 06:00 PM

Yepp updated MBAM and heres' new log. Very happy about this haha






Malwarebytes' Anti-Malware 1.28
Database version: 1179
Windows 5.1.2600 Service Pack 2

2008-09-19 5:59:30 PM
mbam-log-2008-09-19 (17-59-30).txt

Scan type: Quick Scan
Objects scanned: 45880
Time elapsed: 8 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:12 AM

Posted 19 September 2008 - 06:16 PM

How is your computer running now? Any more reports/signs of infection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 rangecoach

rangecoach

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TX, by way of IL, CA, NC, NJ and PA
  • Local time:10:12 AM

Posted 19 September 2008 - 09:48 PM

Booga,

You're in good hands with these folks. It sounds like you caught the same bug I did. I followed all instructions (MBAM, SAS, SDFix and ATF Cleaner) and ran each of the previous mentioned programs several times. The final cleaning with the ATF Cleaner did the trick for me....no re-lapse.
The early bird may get the worm but the second mouse gets the cheese.

You are never defeated until you admit it. Gen. Patton

#12 Booga Booga

Booga Booga
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 19 September 2008 - 10:52 PM

My computer is running very well thank you :thumbsup:

and yea rangecoach, didn't it just annoy you to no end? haha

Will definitely recommend this site to anyone with computer problems!

~Booga

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:12 AM

Posted 20 September 2008 - 06:31 AM

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users