Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SpywareGuard 2008 virus = hijacked browser


  • This topic is locked This topic is locked
29 replies to this topic

#1 LouEllen

LouEllen

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 12 December 2008 - 12:48 PM

This is my first post and although I have worked at software companies for years, I am not even close to being a techie so please bear with me.

My son managed to acquire the SpywareGuard 2008 virus on his desktop machine. I feel like I've made great strides in getting rid of it, but something is still not right. His machine runs Windows XP Media Center Edition SP2.

Note: It is also entirely possible that there are multiple things going on here. His machine also had a trial version of something called Registry Defender Platinum v5.0, which does seem legit; I was able to uninstall it through Control Panel. In addition, I kept getting "Microsoft has encountered an error and needs to close" messages about something called Viewmgr, which I gather is used with AOL Instant Messenger. I uninstalled that and also the related software, Viewpoint Media Player.

I will try my best to explain what I've done so far.

1) Killed the processes, deleted the registry entries, deleted the malware files for SpywareGuard 2008 following instructions I found on other web sites. The SpywareGuard 2008 window no longer pops up when the machine is rebooted, so I feel like I've gotten *most* of this virus, but read on...
2) Ran a full system scan using Windows Defender. It still detected the presence of 3 trojans, Vundo.D, Conhook.D, and Vundo.gen!AE, which it claimed to remove successfully.
3) Ran a full system scan using McAfee Virus Scan. Came up clean.
4) Ad-Aware was already installed on the machine, so I thought I would try running that. The definitions file had not been updated in a couple of months, but when I clicked the "Update" button I got a message about not being connected to the internet.
5) Opened an IE window and the yahoo.com home page was displayed successfully, so obviously the message in 4) is bogus.

So then I decided to uninstall Ad-Aware (which I did successfully) and download the latest version from lavasoft.com. But when I typed "www.lavasoft.com" in the browser's address bar, I was taken to some bogus site that wanted to sell me a product called AdWareClient or something like that. I knew better than to click anything there, but who knows what it did in the background.

But any Google search now turns up a results page that looks a little off---the type is too large, the links go nowhere. I was able to go to microsoft.com, but when I tried to download the latest Windows update, I got "page cannot be displayed."
I have done multiple full scans using McAfee and Windows Defender and they come up clean every time.

Also, the machine does not reliably restart---most times I have to hit F8 a few times and then select "last known good configuration". As soon as the machine starts up, I get a Windows Explorer window showing me the contents of C:\Program Files\Common, which contains helper.dll and helper.sig.

Please help! I feel like I am SO close to getting this fixed!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:40 PM

Posted 12 December 2008 - 04:13 PM

Hello and welcome,I feel the best thing to do here is to get a scan log from MBAM.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 LouEllen

LouEllen
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 13 December 2008 - 03:26 PM

I am having no luck at all!

On the infected machine, I cannot connect to the site in the first link you provided (or virtually any other sites).

So I used another machine to download the mbam-setup.exe and mbam-rules.exe files and then transferred them to the infected machine.

When I double-click mbam-setup.exe on the infected machine, I click Run and get an hourglass for a few seconds, then the hourglass goes away and I am never prompted to begin the installation.

So now what? It feels as if this virus has anticipated and blocked every possible attempt to diagnose and fix it! Is my only alternative to wipe the hard drive and reinstall everything? I was *so* trying to avoid that...

#4 lobotomy-

lobotomy-

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 14 December 2008 - 11:42 AM

Hi again,
sorry if it's not appropriate to reply here but i said if something worked with me i was going to tell u.
On this forum someone had the same problem and managed to fix it.
My pc is also clean after that post.
U just can rename the exe of MBAM and SAS to .bat and u should be able to run them.
If everything is installed, just rename the exe's to .bat and u can run the programs. Do some scans and delete the files.
Then after a reboot u should be able to update the programs and do a better scan. And that should help u to fix the problem.
Grtz,
Joris

#5 LouEllen

LouEllen
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 14 December 2008 - 02:36 PM

OK, we are making some progress. I was able to run the Anti-Malware application and will post the log below.

Two good things:
1) After MBAM ran, it prompted me to restart the machine, which I did---and the machine rebooted! Yay! I did not have to use "last known good configuration." This is good!
2) I typed a word in the Google toolbar search box and the page that comes back looks normal again. I didn't click any of the links, though, because I'm not sure I'm out of the woods yet!

Two not-so-good things:
3) When the machine starts, though, I am still getting a Windows Explorer window showing me the contents of C:\Program Files\Common. That folder now contains only one file---helper.sig---where previously it contained two---helper.sig and also helper.dll.
4) McAfee tells me it is not protecting my computer and the detection signature file is between 8 and 29 days old. I don't quite know what that file is for, but I have configured McAfee to update every Friday morning and it did successfully update on 12/12/08. When I clicked "Fix" in the McAfee window, it told me I would have to reinstall all the McAfee components. I don't want to do that without checking here first...and anyway, I bought it as a download and I'm not sure I still have the file.

But anyway, first things first---here is the contents of the MBAM log file. Lots of infections!

Malwarebytes' Anti-Malware 1.31
Database version: 1500
Windows 5.1.2600 Service Pack 2

12/14/2008 1:56:10 PM
mbam-log-2008-12-14 (13-56-10).txt

Scan type: Quick Scan
Objects scanned: 51291
Time elapsed: 6 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 25
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 5
Files Infected: 31

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddccslct (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AllFilesystemObjects\shellex\ContextMenuHandlers\SCSDelete (Rogue.SysCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\SCSDelete (Rogue.SysCleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Purchased Products (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: digeste.dll -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\systemerrorfixer (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\SystemErrorFixer (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Will\Application Data\SysCleaner (Rogue.SysCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Will\Application Data\SysCleaner\logs (Rogue.SysCleaner) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ddcCSLCt.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\Common\helper.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSarxx.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSvoql.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Drivers\TDSSmplj.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Will\Local Settings\Temp\TDSS4bae.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Will\Local Settings\Temp\version_up.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\ac (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\em (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\oid (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\SystemErrorFixer.exe.cer (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\user (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\SystemErrorFixer\swupd.log (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Will\Application Data\SysCleaner\settings.dat (Rogue.SysCleaner) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\digeste.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\svhost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\sysobjwertb.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cracrwinz.exe (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\svhost.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\track.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\sysexplorer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\moduleie.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\reged.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\spoolsystem.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\sys.com (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\syscert.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\vmreg.dll (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Documents and Settings\Will\~.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Will\Local Settings\Temp\TDSS4b6f.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSdxcp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSkkai.log (Trojan.TDSS) -> Quarantined and deleted successfully.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:40 PM

Posted 14 December 2008 - 07:47 PM

Ok, yes we are making progress . The malware may have corrupted Mcaffe and will probably be repaired at a reinstall. But after we clean everything off now as it may hinder or make the install troublesome. Please tell us how we're runnning after all this.

Run ATF Cleaner first
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Now rescan with MBAM once more post a log,reboot.

Follow that with an SAS scan and log. THank you.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 LouEllen

LouEllen
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 15 December 2008 - 09:23 AM

I'll be back with the results later, but it certainly does take a leap of faith to download and install all this legitimate-sounding stuff I've never heard of! After all, SpywareGuard 2008 *looked* like the real deal!

I think the trouble started when, to my son's best recollection, he got a pop-up telling him his system might be infected and asking if he wanted to do a full scan. So he clicked OK...

So my question is: was it when he clicked OK that he got the virus? or was the damage already being done without his knowledge as soon as the pop-up appeared?

I'm just trying to figure out how to educate him so we don't have this problem again.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:40 PM

Posted 15 December 2008 - 09:36 AM

Anything I (BC staff)give you to use here is tested and proven by BC first.

You definately executed the Malware when you clicked OK.You can even get it from clicking 'X'
If you seee something like that that you are unsure of..Close through the Task manager.
Hit CTRL-Alt-Del at the same time. Highlight the page and select End Task..That avoids the executable script.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 LouEllen

LouEllen
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 15 December 2008 - 11:05 AM

MBAM scan came up clean! (log below) While it was running, it occurred to me that maybe I should've checked for updates, just for good measure. So when it finished, and before I rebooted the machine, I tried to check for updates and that failed. Maybe that doesn't matter for now...

Here is the log; I'll post the SAS log separately.

Malwarebytes' Anti-Malware 1.31
Database version: 1500
Windows 5.1.2600 Service Pack 2

12/15/2008 11:00:56 AM
mbam-log-2008-12-15 (11-00-56).txt

Scan type: Quick Scan
Objects scanned: 49386
Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:40 PM

Posted 15 December 2008 - 11:20 AM

Perhaps after running ATF and SAS,Mbam will update.

EDIT: I just updated to 1501 and it was very slow...

Edited by boopme, 15 December 2008 - 11:34 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 LouEllen

LouEllen
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 15 December 2008 - 12:51 PM

SAS took a long time! But it did find a few more things. Log is posted below.

I haven't tried again to update MBAM; I'll wait for more instructions from you. The last time I restarted (after running SAS and rebooting as normal), McAfee did not complain that the computer was not being protected---that's good!

I still get a Windows Explorer window when the machine restarts. It shows C:\Program Files\Common, which still contains helper.sig. The date on that file is 12/7/2008 4:37 PM, which I'm sure is the date when the machine got infected [not sure about the time].

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/15/2008 at 12:34 PM

Application Version : 4.23.1006

Core Rules Database Version : 3674
Trace Rules Database Version: 1653

Scan type : Complete Scan
Total Scan Time : 01:17:33

Memory items scanned : 186
Memory threats detected : 0
Registry items scanned : 5177
Registry threats detected : 7
File items scanned : 46556
File threats detected : 9

Rogue.Component/Trace
HKLM\Software\Microsoft\208A8CCE
HKLM\Software\Microsoft\208A8CCE#208a8cce
HKLM\Software\Microsoft\208A8CCE#Version
HKLM\Software\Microsoft\208A8CCE#208a214e
HKLM\Software\Microsoft\208A8CCE#208a48ab
HKU\S-1-5-21-57989841-1637723038-1177238915-1003\Software\Microsoft\CS41275
HKU\S-1-5-21-57989841-1637723038-1177238915-1003\Software\Microsoft\FIAS4018

Adware.Tracking Cookie
C:\Documents and Settings\Will\Cookies\will@ad.yieldmanager[2].txt
C:\Documents and Settings\Will\Cookies\will@atdmt[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\will@wmvmedialease[1].txt

Adware.Vundo/Variant-Trace
C:\WINDOWS\SYSTEM32\ENRHCRLO.INI
C:\WINDOWS\SYSTEM32\SDDUHJYK.INI
C:\WINDOWS\SYSTEM32\SHEOPCEW.INI
C:\WINDOWS\SYSTEM32\YKDNEGFH.INI

Rootkit.TDSServ-Trace
C:\WINDOWS\SYSTEM32\TDSSMTNE.DAT

Trojan.Gen
C:\WINDOWS\UNIFISH3.EXE

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:40 PM

Posted 15 December 2008 - 02:21 PM

Hello again, I see we've found a roootkit infection.

One or more of the identified infections is a backdoor/rootkit trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. if you wish to continue cleaning please run SDFix.


Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 LouEllen

LouEllen
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 15 December 2008 - 02:52 PM

Well, that is terrible news! This is my son's computer; he's 17 and does not do any banking or other financial transactions
on it. I suppose it is possible that he has entered my credit card number for iTunes transactions and such.

But this machine is part of the wireless network in our home. Are the other machines compromised also?

I am willing to do a complete reinstall if you can guide me through it. I was able to back up all his documents and iTunes music; that's about all that's on his machine.

I don't actually know how to disconnect his machine from the internet other than shutting it down.

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:40 PM

Posted 15 December 2008 - 03:00 PM

Let's run the SDFix and see what it shows. Since there are no financials. Does he onlune game? Are the PC's sharing files/
I know it was bad news ans I hate to deliver it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 LouEllen

LouEllen
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 15 December 2008 - 03:30 PM

I'm not sure exactly what you mean by online gaming. He does play games on web sites but I don't really know anything about gaming so I'm not sure what you're asking.

The machine I'm typing from can see his machine, and vice versa, so yes I guess they share files. (The \My Documents folders on both machines are set up as shared.)

I had an IT professional set up our home network. This was a few years back, but he set it up to be as secure as possible at the time---only the MAC addresses we specifically entered can get on our network (and those were the addresses for my machine, my son's machine, and my husband's laptop). I don't think anything on my husband's laptop is shared, but he definitely does financial transactions on it. He's going to be furious :-(

I shut down the machine when you told me to disconnect it from the internet. I actually can't figure out how to run the machine without being connected. I right-clicked the wireless icon in the system tray but "Disconnect" was not an option. I guess I could just remove the wireless adapter, which sticks out of the back of the machine, while it's off...?

Is there any way to know for sure when the machine got infected? I suspect it was last weekend (12/7 maybe?) and the machine has been off most of the time since then. (Clearly I'm hoping for a miracle!)

This SDFix tool looks a little scary! I may not get to this until tomorrow.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users