Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware issue. Can't remove after many actions.


  • Please log in to reply
4 replies to this topic

#1 Bleary-eyed

Bleary-eyed

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 13 December 2008 - 12:59 PM

Hello Experts,

I was somehow infected by some malware. It seemed to occurr when when I was issuing some commands on my laptop to perform a task to flush some authentication credentials for logging onto one of our servers. I wasn't sure which command was the right one to issue, and I issued a command "ipconfig /flushdns". I don't know if this could have caused it, but the infection seemed to happen right after that. I had McAffee Firewall up and runnning on my laptop, and we're behind a Sonicwall firewall. There is a possibility I did have a VPN connection opened to a customers network at the time (perhaps that could have been the source).

In any case, here are my symptoms:
1) When I open a broswer, my browser displays the "Insecure Internet Activity. Threat of virus attack" page. Subsequent browsing usually (it's inconsistent) results in the browser crashsing/gpf'ing.

2) In addition, a dialog intermitently pops-up saying "Security Alert Center", "To help protect your computer, Windows Firewall has ...". It's obviously a rogue dialog.

3) My Microsoft Outlook 2003 client is also crashing now intermitently. Plus the computer is running slower than before.

What I've done so far:
I've run Kaspersky Anit-virus (Trial version), SuperAnti Syware (Free edition), a-squared free, Malbytes Anti-Malware, Spybot and also SmiitfraudFix.exe (twice), all to no avail.

System:
Win XP Professional SP 2, IE 6, Dell Laptop Lattitude D820.


I'm ready to post a HiJackThis log when requested.

Thanks in advance for all the assistance.

Bleary-eyed

Edited by Bleary-eyed, 13 December 2008 - 01:00 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,301 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:49 PM

Posted 13 December 2008 - 03:07 PM

SAS and MBAM usually find the culprit.
Check the updates for both and see if they are SAS--Core 3674, MBAM--1496
If you scanned with an earlier version of updates, you should update SAS and run the scan in safe mode after updating in regular mode.

If you do post a Hijack This Log, be sure to post it in the HJT Forum. NOT IN THIS FORUM.

Preparation Guide For Use Before Posting A Hijackthis Log
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 Bleary-eyed

Bleary-eyed
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 15 December 2008 - 12:40 PM

Great news. MalwareBytes removed the issue. The first time I had ran it (as mentioned in my inital posting) I ran into several errors that appeared to be spurced from MalwareBytes. Perhaps those errors interfered with my first scan with the product. I subsequently scanned it again, with no errors this time. and it detected the following

Malwarebytes' Anti-Malware 1.31
Database version: 1492
Windows 5.1.2600 Service Pack 2

12/15/2008 7:10:16 AM
mbam-log-2008-12-15 (07-10-10).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 351834
Time elapsed: 11 hour(s), 31 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\Kent\Application Data\Google\mjkdpl.dll (Trojan.FakeAlert) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f1293f4c7.exe (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Kent\Application Data\Google\fhexj6825097.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP766\A0117369.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Kent\Application Data\Google\mjkdpl.dll (Trojan.FakeAlert) -> No action taken.


Subsequent deletion via Malwarebytes solved the issue.

Thanks to all who responded to this.

#4 buddy215

buddy215

  • Moderator
  • 13,301 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:49 PM

Posted 15 December 2008 - 01:20 PM

Your MBAM is missing a few updates. The last I checked it is up to 1500.

You should update Super Antispyware and do a scan with it. The last I checked the latest is 3674.
The malware you had/have brings with it a lot of friends. Better to find it all now. Best to scan in safe mode after updating in regular mode.

Use Ccleaner to remove temporary files, logs, cookies, etc. During install you will be offered the Yahoo Toolbar. UNcheck if not wanted. http://www.ccleaner.com/

Allow Secunia online scanner to check all of your programs for missing security updates.
http://secunia.com/vulnerability_scanning/online/

SAS INSTRUCTIONS IF NEEDED:
http://www.bleepingcomputer.com/forums/ind...t&p=1040160

Edited by buddy215, 15 December 2008 - 01:22 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 Bleary-eyed

Bleary-eyed
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 15 December 2008 - 01:28 PM

Thanks. I will perform your recommendations.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users