Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with win32.banker.fs and trojan.spyagent.da


  • Please log in to reply
22 replies to this topic

#1 grundsau

grundsau

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 29 December 2008 - 02:33 PM

Hi, I'm posting from another computer.
The infected computer is running XP with Service pack 2.
It has multiple pop-ups telling me about security issues and I need a special cleaner to fix them. The desktop has a new image on it that looks like a maze in blue and red colors. I can't change it.
The system is running slow.
I tried to reboot into normal safe mode and safe mode with networking. All I get is a black screen with safe mode in the corners.
Also if I reboot normally outside of safe mode the blue/red maze appears and the rest of the icons and system do not finish loading.
Not sure what to do.
Hope someone has a fix.
thanks

Edited by grundsau, 29 December 2008 - 02:37 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:27 AM

Posted 29 December 2008 - 03:29 PM

hello,I would like you to run these 2 tools and return the reports,yhank.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Now Part 1 of S!Ri's SmitfraudFix

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 grundsau

grundsau
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 29 December 2008 - 03:57 PM

Hi Boopme, thanks for helping me. I can't get to a screen where I can open IE to access the Net.
I was experimenting while waiting for a reply.
In safe mode I can get to where it asks me if I want admin or my regular user profile access. I click Admin and get a blank screen with safe mode in the corners and Microsoft with the Build numbers and SP 2 at the top.
I can access Task Manager.
When I try to open a Drive using this address (C:\) it says it cannot find the drive.
It does see a disk in my CD burner with the Spy No More exe file on it but it won't let me save it to the harddrive.
thanks

edited to add: I can browse thru my harddrives but cannot open a specific file that I tell it to look at.
Was also able to see a jpeg thru photoshop.
Also have AVG anti-spyware and will run that to seewhat happens.
I also have HiJack this somewhere in my system also.
I'm still trying to get an internet connection at this point.

Edited by grundsau, 29 December 2008 - 04:09 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:27 AM

Posted 29 December 2008 - 04:20 PM

Ok sounds like fun. A couple of options. One is if you burn that MBAM to a CD it should run off the CD.
Sometimes it will run from the other (non Admin) account.
Another is safe mode with Networking may make the internet available.Perhaps if you can find the HJT application and run then gey a log.
You can also try a Bart's Preinstalled Environment (BartPE) bootable live windows CD/DVD to boot he system,
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 grundsau

grundsau
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 29 December 2008 - 04:32 PM

LOL, yep this one is a doozy.
I'll try this evening and it will probably be morning till I get something posted.
thanks

#6 grundsau

grundsau
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 29 December 2008 - 06:11 PM

Ok, I've gotten back online after running Malwarebytes.
I couldn't run that other program and got a language I couldn't understand.
The initial log was saved and I couldn't find it. There were alot of items that were removed.
Then I opened the program to run it again and then that would tell me where it was saved to. The program must have over-written the original, sorry about that.

Tried to attach the log file but couldn't figure out how.
Copied it instead.
Malwarebytes' Anti-Malware 1.31
Database version: 1570
Windows 5.1.2600 Service Pack 2

12/29/2008 6:01:29 PM
mbam-log-2008-12-29 (18-01-29).txt

Scan type: Quick Scan
Objects scanned: 23246
Time elapsed: 9 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by grundsau, 29 December 2008 - 06:14 PM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:27 AM

Posted 29 December 2008 - 07:39 PM

Hi, you meant the SmitfraudFix program? (Was it French by any chance? Not important,yust that the author is French.)
Try this one and run OPtions 1 & 2. Post back the report. SmitFraudFix.
The report can be found at the root of the system drive, usually at C:\rapport.txt .
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 grundsau

grundsau
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 30 December 2008 - 12:07 AM

Ok, I've got two logs from Smitfraud.
The desktop still has that crazy patterned design and don't know how to get rid of it.
Step 1:
SmitFraudFix v2.387

Scan done at 23:37:39.25, Mon 12/29/2008
Run from C:\Documents and Settings\H. Allen Schaeffer\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mspaint.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\H. Allen Schaeffer\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\H. Allen Schaeffer


C:\DOCUME~1\H6D48~1.ALL\LOCALS~1\Temp


C:\Documents and Settings\H. Allen Schaeffer\Application Data


Start Menu


C:\DOCUME~1\H6D48~1.ALL\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"IPC Configuration Utility"="IPC Configuration Utility"



AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS

Description: Broadcom 802.11b/g WLAN - Packet Scheduler Miniport
DNS Server Search Order: 68.87.75.194
DNS Server Search Order: 68.87.64.146

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F72945C9-1823-4FCB-99E3-0E2E2E45EA45}: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F72945C9-1823-4FCB-99E3-0E2E2E45EA45}: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F72945C9-1823-4FCB-99E3-0E2E2E45EA45}: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.75.194 68.87.64.146


Scanning for wininet.dll infection


End


Step 2:

SmitFraudFix v2.387

Scan done at 23:47:59.65, Mon 12/29/2008
Run from C:\Program Files\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"IPC Configuration Utility"="IPC Configuration Utility"


Killing process


hosts


VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F72945C9-1823-4FCB-99E3-0E2E2E45EA45}: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F72945C9-1823-4FCB-99E3-0E2E2E45EA45}: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F72945C9-1823-4FCB-99E3-0E2E2E45EA45}: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.75.194 68.87.64.146


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"IPC Configuration Utility"="IPC Configuration Utility"



End

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:27 AM

Posted 30 December 2008 - 12:26 AM

Try this on the desktop ... How is the PC running now otherwise. I'll be back tomorrow.

Go to Start > Control Panel > Display. Click on the "Desktop" tab, then the "Customize Desktop..." button.
Click on the "Web" tab, then under Web Pages, uncheck and delete everything you find (except "My Current Home page").
These are some common malware related entries you may see:

Security Info
Warning Message
Security Desktop
Warning Homepage
Privacy Protection
Desktop Uninstall


If present, select each entry and click the Delete button.
Also, make sure the Lock desktop items box is unchecked. Click "Ok", then "Apply" and "Ok".

When done, go back into your Desktop Settings and you should be able to change the color/theme to whatever you want.

Edited by boopme, 30 December 2008 - 12:26 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 grundsau

grundsau
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 30 December 2008 - 10:50 AM

Hi, thanks for staying with me for so long.
I followed your latest instructions. Once I click on the Customize Desktop button there is only one tab titled General. None of the other tabs are visible.
When this all first started I saw a file named "tmp" in with the other background selections. It is now gone. The crazy desktop background was still showing though. I changed the desktop back to its original photo and it seems ok.

Should I always run Malwarebytes in safe mode?

I currently run Zone Alarm Security Suite with anti-virus/spyware. Is that enough or is there something better?
thanks again.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:27 AM

Posted 30 December 2008 - 11:25 AM

Hi and you are welcome,let's hope that that stays fixed.

Should I always run Malwarebytes in safe mode?

Actually ,no. MBAM is written to be a more powerful tool in normal mode. Most others are better in safe. Specialized tools like smitfraud should only be run when you know that the infections they work with are on the machine or else they can do more harm than good. I would keep MBam and SAS(we will run that now) on hand. Update and scan weekly. SAS is a stronger in Safe mode tool.
ZA is a very good tool. i am of yhe belief that I don't usually run suites. Not that they are bad! But as you see now no one tool gets it all and I feel a suite builds a somewhat false hope of total protection. On the other hand with the suite you have gained a better firewall than the XP wall. Most people are not aware that the XP wall only monitors traffic one way (in). So in summary. I use 1 AV,1 firewall, a several Antispywares. You should even add Spyware baster to the system. See BC's Freeware Replacements For Common Commercial Apps under Spyware Removal.

Now please run these tools.

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

SAS:
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
How's the PC running now??
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 grundsau

grundsau
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 30 December 2008 - 01:38 PM

I'm at work. I'll get those programs downloaded and scanning in between customers.

On both the C and D drives there is a file called pagefile.sys and is huge, its 1,523,712kb in size.
My D drive is partitioned and this thing has sucked up almost all the space on it.
There is also a hiberfil.sys file and rollback.ini file.
Yesterday the pagefile.sys had 12/29 as the date, now it has todays date.
The other two have todays date and am not sure when they appeared.

I had run Malwarebytes again and got this log file:

Malwarebytes' Anti-Malware 1.31
Database version: 1577
Windows 5.1.2600 Service Pack 2

12/30/2008 12:58:46 PM
mbam-log-2008-12-30 (12-58-46).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 178087
Time elapsed: 2 hour(s), 3 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP562\A0074689.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP562\A0074690.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP562\A0074691.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP562\A0074693.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP562\A0074694.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP562\A0074695.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP562\A0074696.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP562\A0074697.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP562\A0074692.exe (Trojan.Clicker) -> Quarantined and deleted successfully.

Edited by grundsau, 30 December 2008 - 01:41 PM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:27 AM

Posted 30 December 2008 - 01:50 PM

Hello the pagefile can be fixed,but that's not as important as the Backdoo bot you've picked up. I have to advise you that that's NOT good.. I feel you have 2 choices now. we send this to the HJT Team or you have to fully wipe this hard drive and reinstall the Operating System.
Here are 2 advisories on this
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

AND>>
A backdoor Trojan can allow an attacker to
gain control of the system, log keystrokes, steal passwords, access personal
data, send malevolent outgoing traffic, and close the security warning
messages displayed by some anti-virus and security programs.

I would advise you to disconnect this PC from the Internet, and then go to
a known clean computer and change any passwords or security information held
on the infected computer. In particular, check whatever relates to online
banking financial transactions, shopping, credit cards, or sensitive
personal information. It is also wise to contact your financial institutions
to apprise them of your situation.

We will do our best to clean the computer of any infections seen on the log.
However, because of the nature of this Trojan, I cannot offer a total
guarantee that there are no remnants left in the system, or that the
computer will be trustworthy.

Many security experts believe that once infected with this type of Trojan,
the best course of action is to reformat and reinstall the Operating System.
Making this decision is based on what the computer is used for, and what
information can be accessed from it.

Knowing the above, let us know if you wish to proceed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 grundsau

grundsau
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 30 December 2008 - 02:15 PM

I'm on another computer now. I'd prefer to not have to reformat the computer.
I have used the infected computer for some sensitive info but not for several weeks. That probably doesn't matter though.
Do you still want me to run those other programs or should I wait?
I would like to get rid of those large files so the "low memory popups" stop appearing.
thanks

Edited by grundsau, 30 December 2008 - 02:17 PM.


#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:27 AM

Posted 30 December 2008 - 02:35 PM

Well let see what SDFix says and we'll go from there.
Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users