Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Major Problem , Please Advise


  • This topic is locked This topic is locked
21 replies to this topic

#1 riddimassassin

riddimassassin

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 26 January 2009 - 02:34 AM

hey guys, i have a major problem with a trojan virus. i think its called trojan/rustock-n or something of the sort. whenever i try to access any of my email accounts,update any of my antivirus programs etc. it gives a bogus unsecure certificate message. it is really annoying and it is affecting both my laptop with windows xp and my desktop with windows vista. ive used avg 8.0 free and malaware bytes,they remvoed some trojans but im still having this problem,i cant get to my email account nd it is preventing me from accessing some sites completely,please help,thanks

BC AdBot (Login to Remove)

 


#2 Monty007

Monty007

  • Members
  • 1,151 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:10:32 AM

Posted 26 January 2009 - 02:43 AM

Hi, first you can try this free progarm http://www.superantispyware.com/download.html Insatll it and upadate, then make sure malwarebytes is up to date I would boot into safe mode with no networking and run a full scan of superanti-spyware and malwarebytes.
MCP
MSDST

#3 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:09:02 PM

Posted 26 January 2009 - 09:19 AM

The process of cleaning your computer may require temporarily disabliling some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 riddimassassin

riddimassassin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 26 January 2009 - 11:21 AM

hey guys,thanks for the responses i apreciate it,i tried the spyware prgrams but they havent picked anything up,this is the log from malware

Malwarebytes' Anti-Malware 1.33
Database version: 1695
Windows 5.1.2600 Service Pack 3

1/26/2008 11:19:32 AM
mbam-log-2008-01-26 (11-19-32).txt

Scan type: Quick Scan
Objects scanned: 52294
Time elapsed: 3 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\aquaplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.109,85.255.112.141 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d5c2ef30-a4e5-48ac-9b7f-902d1b155c06}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.109,85.255.112.141 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ef75e4e0-1e71-4b37-b598-15287efc8048}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.109,85.255.112.141 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ef75e4e0-1e71-4b37-b598-15287efc8048}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.109,85.255.112.141 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.109,85.255.112.141 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{d5c2ef30-a4e5-48ac-9b7f-902d1b155c06}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.109,85.255.112.141 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{ef75e4e0-1e71-4b37-b598-15287efc8048}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.109,85.255.112.141 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{ef75e4e0-1e71-4b37-b598-15287efc8048}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.109,85.255.112.141 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.

#5 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:09:02 PM

Posted 26 January 2009 - 12:35 PM

Please REBOOT the computer and UPDATE mbam. Run a FULL scan and post back with the results for review
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 riddimassassin

riddimassassin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 26 January 2009 - 02:01 PM

ok thanks,ill do that now,thanks again for the help ill post results when the scan is done

#7 riddimassassin

riddimassassin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 26 January 2009 - 04:36 PM

ok here it is,

Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\Stationary (Programs)\Acid Pro 5.0\Sony Acid Pro 5.0 + Key\kgsonyall.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

and im still having the problem,this is what comes up when i try to access gmail:
Secure Connection Failed













www.google.com uses an invalid security certificate.

The certificate will not be valid until 5/2/2008 1:02 PM.

(Error code: sec_error_expired_certificate)








* This could be a problem with the server's configuration, or it could be someone trying to impersonate the server.

* If you have connected to this server successfully in the past, the error may be temporary, and you can try again later.

Edited by riddimassassin, 26 January 2009 - 04:37 PM.


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 26 January 2009 - 04:51 PM

Hello.

I'll just jump in here. I don't think this may be related to malware but it could please correct/check the following.

Please make sure you clock settings and everything is correct. Double click on your time on the bottom right corner. This should bring up the Date and Time Properties window. Alternatively you can go to Start>>Control Panel>>Date and Time.

When the window opens please make sure the following is accurate/correct:

Date: [what ever your date is] Should be January 26th or January 27th depending on the time zone you are in.
Time: [What ever the time is] Make sure pm and am is correct
Time Zone: [What ever your time zone is]

After that is all corrected or confirmed, please please Apply and the Ok. Exit afterwards.

Next please go to the windows update site located over here. Install any updates if there are any using the express update.

Tell me if you still get that error message when you visit google.com or any other websites.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 riddimassassin

riddimassassin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 26 January 2009 - 04:57 PM

hi,my date and time is correct, i clicked the link but it says 404 page not found

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 26 January 2009 - 05:09 PM

Hello again. :thumbsup:

Are you sure? Could you check again please. From what I saw from the MBAM log it was not correct. Make sure the year is also correct. Should be 2009 now..

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 riddimassassin

riddimassassin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 26 January 2009 - 05:13 PM

thanks, i totally screwed that up lol,i fixed the date to 2009, i am now able to access my email accounts, thanks : ), the only problem i have now is i still cant update my antivirus or get to sites such as superantispyware.com

Edited by riddimassassin, 26 January 2009 - 05:16 PM.


#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 26 January 2009 - 05:17 PM

Hello.

That's strange, should work now. Try windows update site again and then after that restart your computer and visit your e-mail accounts and see if it works now.

Tell me how it goes.


Just saw your edit there, post back to you soon.

With Regards,
Extremeboy

Edited by extremeboy, 26 January 2009 - 05:18 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 riddimassassin

riddimassassin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 26 January 2009 - 05:20 PM

im still unable to access the windows update site im being forwarded to here <hxxp://avg.urlseek.vmn.net/search.php?lg=en&mkt=en&type=404&tb=ff&tbn=avg&q=hxxp://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us>

Edited by Orange Blossom, 11 February 2013 - 03:44 AM.
Deactivate link. ~ OB


#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 26 January 2009 - 05:25 PM

Hello.

Do you mean you can't get to some sites that are security related? Restart your Internet Explorer meaning close Internet Explorer and then reopen it. Does Windows Update work now?

What happens when you go to this website: http://www.superantispyware.com/

Any errors when visiting it? Also you are using AVG 8.0 it seems when you first started the topic? What happens when you click the update button. Do you get any error? I just tried updating my AVG and it works fine for me. A Screenshot would be nice or the error message you receive, would be helpful.

I just want to have an idea of what's going on before I proceed.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 26 January 2009 - 05:30 PM

Hello..

Just saw you reply again.. Please perform the following scan please.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

Next...

Please go to www.Google.ca. In the open field please type in: Windows update site.
Then click Google Search. Please give me a screenshot of that after you click Google Search please. You can upload it somewhere and then give it to me.

Thanks.

With Regards,
Extremeboy

Edited by extremeboy, 26 January 2009 - 05:31 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users