Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Probable malware infection, need direction


  • Please log in to reply
9 replies to this topic

#1 chattykk

chattykk

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Delaware County, PA
  • Local time:11:42 AM

Posted 07 January 2009 - 12:40 PM

Operating system is Windows XP Professional v. 5.1.2600 SP2
Spybot S&D installed but not working properly.

A week ago began receiving almost continual pop-ups when using IE7, also error 1058 for Windows AU. Tried Microsoft directions to turn AU back on and it was not successful. Downloaded SUPERAntispyware, though it ran and quarantined/deleted some items the system hung before the scan completed.

Current status: IE7 continues to get continual pop-ups(they are blocked) but I can see them
happening; about every 2 minutes a window pops-up with messages that the machine is being
attacked apparently by every known malware program out there and then asks if I want to run
MS Spyware 2009 - response is always "NO". Every time I try to access an anti-spyware site, including this one, a Google error "Oops! This link appears broken". All other websites appear to be accessible but I am fearful to use the internet at all. We use a DSL modem and it is turned off for now.

Any guidance would be greatly appreciated. Thanks.

Kathy

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:42 PM

Posted 07 January 2009 - 12:58 PM

Hello. Perhaps a copy of the SAS scan log would help us see what was found as that may give us some clues. Also scan again with MBAM.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 chattykk

chattykk
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Delaware County, PA
  • Local time:11:42 AM

Posted 08 January 2009 - 08:25 AM

Thank you for the fast response. My apologies for not making my problem clear. I registered and post to this site from my computer at the job. Home computer is the problem and I am unable to access any anti-malware site from that computer. Every attempt results in the error message "Oops!! This link is broken". That includes this site.

Can I download the executable module from malwarebytes.org to a CD or flash drive from my computer here at work? If not, how can I get a copy to proceed?

Kathy

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:42 PM

Posted 08 January 2009 - 11:59 AM

Yes you can.. Her's a few tips if you have problems.

If you cannot use the Internet,you will need access to another computerthat has a connection.
from there save mbam-setup.exe to a flash,usb,jump drive or CD. Now transfer it to the infected machine, then install and run the program.
If you cannot transfer to or install on the infected machine, try running the setup (installation) file directly from the flash drive or CD by double-clicking on mbam-setup.exe so it will install on the hard drive.

Manually Downloading Updates:
Manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.



Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.

***
Another work around is by not using the mouse to install it, Just use the arrow keys, tab, and enter keys.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 chattykk

chattykk
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Delaware County, PA
  • Local time:11:42 AM

Posted 08 January 2009 - 09:22 PM

Success! Though quite a struggle, mbam.exe ran and this post is coming from the infected computer.

Not confident that things are cleaned up and expect there is more to do.

Did need to change the file extension from .exe on both setup and mbam, should I change them back to .exe?



Malwarebytes' Anti-Malware 1.32
Database version: 1617
Windows 5.1.2600 Service Pack 2

1/8/2009 9:08:00 PM
mbam-log-2009-01-08 (21-08-00).txt

Scan type: Full Scan (C:\|)
Objects scanned: 144214
Time elapsed: 1 hour(s), 10 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 6
Files Infected: 30

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: digeste.dll -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\BASE (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\cpjjcfsw.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wsfcjjpc.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rhvlmqwu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\uwqmlvhr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe (Rogue.MSantispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mark\w.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mark\Local Settings\Temp\TDSSa0a8.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\1QFGEQFD\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\ET97R02W\main[1].exe (Rogue.MSantispyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1816\A0108293.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bsfwgdqs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\gptjeosg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSofxh.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\TDSSoiqt.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\TDSSosvd.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\digeste.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\TDSSpqlt.sys (Trojan.TDSS) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090105210610296.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090105213539781.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090106085105953.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090106085608375.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090108130245312.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090108174035281.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSnrsr.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\TDSSriqp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\TDSSsbhc.log (Trojan.TDSS) -> Delete on reboot.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:42 PM

Posted 08 January 2009 - 10:59 PM

Ok that went well. You should be able to change it back now.

I see some malware there that is pretty serious. TDDS, backdoor and rootkits. I must give you this advice now.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 chattykk

chattykk
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Delaware County, PA
  • Local time:11:42 AM

Posted 09 January 2009 - 08:09 AM

Having never fully trusted the internet and possible infection, no financial data has ever been saved on the infected computer. However, I was trusting enough to pay via credit card, type applications containing name, address, DOB's and SSNs in addition to accessing financial accounts so if keystrokes were recorded we are at risk for identity theft. Also, homebanking has been a regular practice for years.
The security at the financial institutions is excellent and I have auto e-mails turned on for transactions over a specific amount but I do not have a warm fuzzy.

Decision is a no-brainer, I must re-format. Not certain I have the expertise to accomplish this and
the original installation CD's are pre-XP SP2 so I think I will need to hire someone. Can you suggest a reliable company or should I find a local consultant.

Despite the bad news, I really appreciate the support received here.

Kathy

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:42 PM

Posted 09 January 2009 - 12:01 PM

Hello, Although I dislike being the bearer,I felt it is a must to know. The choice to reformat and reinstall is the choice I would make were it my machine.
The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Killdisk.

I'll provide a an excellent source of information on the procedure should you want to do it yourself. But ONLY all full wipe of the drive and reinstall will guarantee the security of the drive. You can also ask about preforming this in the XP forum up top. I suppose that the Geek Squad would be reputable.
Of course feel free to ask any questions.

Reformatting Windows XP

Michael Stevens Tech
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 chattykk

chattykk
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Delaware County, PA
  • Local time:11:42 AM

Posted 09 January 2009 - 03:44 PM

Looks like I will develop the expertise. Cost for assistance is prohibitive since hubby is laid-off. May be back with questions. Will certainly provide status after my adventure.

Thank you again for the support. This is an invaluable service to the public and appreciate the time and attention.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:42 PM

Posted 09 January 2009 - 04:01 PM

You're quite welcome! Don't be afraid to ask. We go by the rule "there are no dumb questions only dumb answers" :thumbsup:

And Thanks for the kind words.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users