Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware infection


  • Please log in to reply
16 replies to this topic

#1 computer_illeterate

computer_illeterate

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 19 October 2008 - 05:49 PM

Hi all.

I'm not the most computer literate guy out there, so I will try the best I can to explain my problem. I believe I have a spyware problem. There is a red "X" on the bottom right of my screen on the taskbar. The message says:

"Windows has detected spyware infection! It is recommended to use special antispyware tools to prevent data loss. Windows will now download and install the most up to date antispyware for you.Click here to protect your computer from spyware".

XP Antispyware 2009 was installed on my computer, but I believe I found a way to remove it. yesterday, when it was there, i could not access most websites. Today, i can.

The symptoms I currently have:

- my homepage has changed
- i am unable to use avg
- i am unable to use hijack this
- i have a red X on my taskbar

What i have done so far:

- System restore to last Monday
- Windows update

Please help!

Thanks

BC AdBot (Login to Remove)

 


m

#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:53 AM

Posted 19 October 2008 - 08:05 PM

Hi and welcome to BleepingComputer,

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 computer_illeterate

computer_illeterate
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 19 October 2008 - 09:22 PM

Hi rigel.

I tried to run the program twice, but both times it just froze (the 1st time after 8 minutes, the 2nd time after 10 minutes). When I say freeze, i mean the time elapsed and documents scanned don't change. they stay at the same spot.

Then, when I close the program, I get a message that "the program is not responding" and whether I want to send an error report or not.

Is that normal?


thanks

#4 Zach712

Zach712

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 19 October 2008 - 09:45 PM

Sometimes it does do that, just give it some time...my scan took about 45 minutes altogether earlier today.

#5 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:53 AM

Posted 20 October 2008 - 12:05 PM

Try to run the program in safe mode. Let me know if you have any problems.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#6 computer_illeterate

computer_illeterate
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 20 October 2008 - 06:48 PM

Hey rigel.

I tried on safe mode today, and it froze after 13 minutes. I get the same message that the program is not responding when I try to close it.

#7 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:53 AM

Posted 20 October 2008 - 06:51 PM

Hmmm... What version of Windows are you running?

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#8 computer_illeterate

computer_illeterate
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 20 October 2008 - 09:54 PM

I ran the scan again (not in safe mode) and went out. It's still running 3 hours later. So i guess it is working now. But is it normal to take this long to scan? When I run AVG, it takes 6 hours to do a scan. I'll paste the results tomorrow.

by the way, i have windows XP.

#9 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:53 AM

Posted 20 October 2008 - 10:01 PM

The quick scans usually don't take that long. Let's see how it turns out.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#10 computer_illeterate

computer_illeterate
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 21 October 2008 - 05:07 PM

I finished the scan and followed the steps. I do not see the red X with the message anymore in the taskbar. Does that mean the infection is gone!!

Here is my log.

Malwarebytes' Anti-Malware 1.29
Database version: 1292
Windows 5.1.2600 Service Pack 3

21/10/2008 5:56:22 PM
mbam-log-2008-10-21 (17-56-22).txt

Scan type: Quick Scan
Objects scanned: 343370
Time elapsed: 4 hour(s), 9 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updatemanager (Trojan.Lop.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\XP_AntiSpyware (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\AVEngn.dll (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\htmlayout.dll (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\pthreadVC2.dll (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\Uninstall.exe (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\XP_AntiSpyware.exe (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Trojan.Lop.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSlxwp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\brastk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_scui.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wini10801.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\brastk.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Temp\TDSSfd9a.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\TDSSfdba.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSShrxm.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSnmxh.log (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSoiqt.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSrhyp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSvkql.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSxfum.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

#11 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:53 AM

Posted 21 October 2008 - 05:24 PM

Welcome back, but I have some bad news...

C:\WINDOWS\system32\TDSShrxm.dll (Rootkit.Agent)
IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let me know how you wish to proceed.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#12 computer_illeterate

computer_illeterate
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 21 October 2008 - 05:48 PM

Hi Rigel.

I would prefer not to re-format. Are there any other steps to do if I do not?

thanks

#13 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:53 AM

Posted 21 October 2008 - 06:39 PM

I would prefer not to re-format.


No problem. I want to to update and rerun Malwarebytes and then run one more tool to get you ready to post a HJT log.

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#14 computer_illeterate

computer_illeterate
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 22 October 2008 - 08:47 PM

Hi rigel.

Are the steps above to remove an infection or to avoid one in the future? What would happen if I choose to leave things as they are? Would that make the next infection harder to remove? and if so, can't I just restore as a last resort if it ever gets that bad?

thanks

#15 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:53 AM

Posted 22 October 2008 - 10:41 PM

SDFix is used to help kill the TDSS infection. Will it be 100% without a followup in the HJT forum? Probably not. If you choose to leave things as they are you are running you computer with a piece of software designed to monitor you and steal information.

I highly recommend at least formating or cleaning.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users