Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with "System Security" rogue anti-spyware


  • This topic is locked This topic is locked
14 replies to this topic

#1 rleem

rleem

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 26 January 2009 - 04:02 PM

Hello.

Yesterday I was hit with what appears to be rogue anti-spyware that brought up incessant pop-up (fake) alerts warning me of infection and fake Windows security virus scans and warning windows. I had a clean laptop to do some quick research into the problem and found advice on using Malwarebyte's Anti-Malware to clear this mess as well as using Hijack This. I did a quick scan with the anti-malware which located a bunch of junk, I followed the instructions on removing it, rebooted the computer and did a couple more thorough scans using my own virus-protection program (McAfee) and Malwarebyte program. All the crazy pop-ups are gone and my scans are yielding 0 infection results, but ever since then, I have been noticing a few quirks: "clicking" sounds in the background as if processes are being activated/accessed (?) and random Internet Explorer window popping up out of nowhere (I primarily use Mozilla Firefox for browser) with an error message along the lines of "page is not accessible" or "page is disabled". I would be grateful if someone could check out a HJT log (I'll send when prompted) or give any additional advice.

Thanks so much!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:53 AM

Posted 26 January 2009 - 04:20 PM

Hello rleem, welcome. Let's give this approach a shot.

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opers browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


RERUN MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot.


Please ask any needed questions,post 2 logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 rleem

rleem
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 26 January 2009 - 07:26 PM

Boopme, thank you for the help!

After following your instructions, posted below are the 2 requested logs. Just before the last reboot (after re-running MBAM), pop-ups began another rampage, this time random "games" and "language installers" not the same system security stuff...I think I managed to dodge them by hitting Alt+F4. I'm still worried something might be lurking though, requiring another pass through of the steps, but as I write this, all is quiet for the time being.

1. SUPERAntispyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/26/2009 at 04:55 PM

Application Version : 4.25.1012

Core Rules Database Version : 3729
Trace Rules Database Version: 1699

Scan type : Complete Scan
Total Scan Time : 01:06:21

Memory items scanned : 257
Memory threats detected : 0
Registry items scanned : 7436
Registry threats detected : 0
File items scanned : 107247
File threats detected : 5

Malware.Installer-Pkg/Gen
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{989E4C3B-B2C9-4486-9A09-D5A8F953837C}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C2D8F0E2-6978-4409-8351-BA8785DA11EE}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{D1A6F3FD-7B40-443F-8767-BADB25A0D222}.EXE



2. MBAM log:

Malwarebytes' Anti-Malware 1.33
Database version: 1697
Windows 5.1.2600 Service Pack 3

1/26/2009 5:13:45 PM
mbam-log-2009-01-26 (17-13-45).txt

Scan type: Quick Scan
Objects scanned: 58934
Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\WINDOWS\system32\1PFxifRj.exe (Trojan.Scheduler) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\1PFxifRj.exe (Trojan.Scheduler) -> Delete on reboot.


Thanks again!

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:53 AM

Posted 26 January 2009 - 08:36 PM

WEll then let's see what else may be lurking.

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 rleem

rleem
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 26 January 2009 - 09:04 PM

Ok. Here is the latest log for SmitfraudFix:

SmitFraudFix v2.392

Scan done at 18:57:09.00, Mon 01/26/2009
Run from C:\Documents and Settings\Rhiannon\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Belkin Mouse 1.0\MOUSE32A.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS

C:\WINDOWS\Tasks\At?.job FOUND !
C:\WINDOWS\Tasks\At??.job FOUND !

C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Rhiannon


C:\DOCUME~1\Rhiannon\LOCALS~1\Temp


C:\Documents and Settings\Rhiannon\Application Data


Start Menu


C:\DOCUME~1\Rhiannon\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS

Description: D-Link AirPlus DWL-G520 Wireless PCI Adapter(rev.:thumbsup: - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4090FA78-6A83-42F7-9BBF-B7AF6B4064D1}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5EB6C4E8-A13D-4465-91AF-EC3EC8CFE319}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{4090FA78-6A83-42F7-9BBF-B7AF6B4064D1}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Scanning for wininet.dll infection


End



Hopefully there is some good news embedded in here! :-)

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:53 AM

Posted 26 January 2009 - 09:18 PM

OK Ri we have found some baddies,, Run part 2 ,cleaning.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt


Next run SDFix.
Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 rleem

rleem
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 26 January 2009 - 09:55 PM

Alrighty,

This is what happened as I went down the order of instructions:

1. Restarted the computer in safe mode
2. Opened SmitFraudFix.exe and selected '2' for cleaning
3. While this began its process, was notified by a new window that opened saying Disc Cleanup was underway and was calculating how much space was going to be able to be freed up...
4. Shortly after this window opened, the prompt for "Registry cleaning: do you want to clean registry" appeared on the SmitFraudFix window.
5. I typed "y" for yes, hit enter and then shortly after the report log, or 'rapport.txt' window appeared
6. I did not receive a prompt for the wininet.dll check...
7. Nothing else happened so being unsure what to do next, I restarted the computer in normal mode to report the events.
8. Now in normal mode, my background image on the desktop disappeared and there was a "windows security alert" warning notification icon (red shield) in the task bar saying my anti-virus was turned off and to "click here" to fix this. McAfee program that runs the anti-virus reports status of anti-virus as on and good.
Hmm....

Meanwhile, I will download SDFix and await your thoughts. Should I try again? How do I make sure the tool checks if wininet.dll is infected if it did not prompt automatically? Log follows:

SmitFraudFix v2.392

Scan done at 19:28:53.01, Mon 01/26/2009
Run from C:\Documents and Settings\Rhiannon\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\Tasks\At?.job Deleted
C:\WINDOWS\Tasks\At??.job Deleted

IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4090FA78-6A83-42F7-9BBF-B7AF6B4064D1}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5EB6C4E8-A13D-4465-91AF-EC3EC8CFE319}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{4090FA78-6A83-42F7-9BBF-B7AF6B4064D1}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End


thanks for all this help~

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:53 AM

Posted 26 January 2009 - 10:09 PM

Go to Start > Control Panel > Display. Click on the "Desktop" tab, then the "Customize Desktop..." button.
Click on the "Web" tab, then under Web Pages, uncheck and delete everything you find (except "My Current Home page").
These are some common malware related entries you may see:

Security Info
Warning Message
Security Desktop
Warning Homepage
Privacy Protection
Desktop Uninstall


If present, select each entry and click the Delete button.
Also, make sure the Lock desktop items box is unchecked. Click "Ok", then "Apply" and "Ok".

When done, go back into your Desktop Settings and you should be able to change the color/theme to whatever you want.


Proceed to SDFix
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 rleem

rleem
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 26 January 2009 - 11:44 PM

Ok.
Results of SDFix: (I ended up running this 3 times to make sure I was doing it right in safe mode; yielded a "report.txt" and a "catchme.log" appeared on the desktop after reboot. Also, did not find any entries in the Web tab in the "customize desktop" instructions from previous post, entry space was completely blank, so I proceeded with SDFix instructions).


1. From SDFix:

SDFix: Version 1.240
Run by Rhiannon on Mon 01/26/2009 at 21:25

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :




2. Catchme.log notes

file copied: C:\WINDOWS\system32\user32.dll -> C:\WINDOWS\system32\dllcache\user32.dll ( 578560 bytes )


I feel like the baddies were not caught on this round.....? Thanks

#10 rleem

rleem
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 27 January 2009 - 09:33 PM

Hi again Boopme,

I'd like to post the results of a recent HijackThis log in the event the last logs posted at your request from SDFix did not yield helpful results if it seems that is the next step. Forgive this jumping ahead on my part, but I hope it may prove fruitful in this endeavor to eradicate the malware and other invasive junk from my computer.

Also on this Day 3: McAfee is now detecting "PrcViewer" on my computer and warning me that this is a potentially unwanted program and prompting me to remove, trust or ignore. For the time being I've ignored the problem and am surmising from other people's posts on the same issue that it's there now because I installed and ran SmitFraudFix. When I've heard from you regarding the logs from my original problem, I'll wait to remove that tool and in so doing, hopefully remove the PrcViewer.

Thanks again for your assistance and I hope to hear from you again soon~

Edited by rleem, 27 January 2009 - 10:58 PM.


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:53 AM

Posted 27 January 2009 - 11:52 PM

Hello we probably will wind up using that log,but not here.

PRCViewer can be a genuine application or not depending on where it originated. Since McAfee is flaaging it it' probably bad.

This step involves making changes in the registry. Always back up your registry before making any changes.

Go to Start Run and type: regedit
Click OK.
On the left side, click to highlight My Computer at the top.
Go up to File Export
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put RegBackup.
Choose to save it to C:\
Click save and then go to File Exit.

Or you can download and use ERUNT which is an excellent free tool that allows you to to take a snapshot (backup) of your registry before making changes and restore it when needed.

Click HERE to open a Kelly's Korner vbs script . Download a small .vbs file to your desktop.

Once it's downloaded, run it according to these directions.
To use the VBS Files: Download .vbs file and save it to your hard drive (you may want to right click and use Save Target As). Double click the vbs file. You will be prompted when the script is done.

NOTE: If your anti-virus software warns you of a "malicious" script, this is normal if you have "Script Safe" or similar technology enabled. These scripts are not malicious, but they do make changes to the System Registry.


ALSO...
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 rleem

rleem
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 28 January 2009 - 10:44 PM

Hi again,

Ok, I've updated Java according to your instructions and have since run another McAfee scan regarding the PrcViewer.

I attempted to have McAfee program remove PrcViewer but the result was "Cannot be completely removed". This is the file name associated with the program in McAfee's log:

- File Name: C:\SDFix\apps\Process.exe, C:\Documents and Settings\Rhiannon\Local Settings\Application Data\Mozilla\Firefox\Profiles\10t6nhot.default\Cache\63329BDCd01, c:\Documents and Settings\Rhiannon\Desktop\SmitfraudFix\Process.exe, C:\Documents and Settings\Rhiannon\Desktop\SmitfraudFix.exe

These are the other 3 items it picked up and Quarantined, labeling them as Trojans:

- Detection name: Generic.dx, Generic.dx
File name: C:\Documents and Settings\Rhiannon\Desktop\SDFix.exe

- Detection name: Generic.dx, Generic.dx
File name: C:\Documents and Settings\Rhiannon\Local Settings\Application Data\Mozilla\Firefox\Profiles\10t6nhot.default\Cache\8F2ABEC4D01

- Detection name: Generic.dx, Generic.dx
File name: C:\SDFix\Catchme.exe

I'm not sure how to proceed from here to remove PrcViewer (or if I need to yet until the earlier issue(s) have been resolved since these files seem to directly relate to the programs I downloaded to detect and clean bad stuff?). I backed up the registry and downloaded the .vbs file but ran into a "This script cannot repair your issue. The expected Registry value was not found." message when trying to run it (assuming that I may have needed a successful removal effort of PrcViewer?)

Anyhow, I patiently await your next instructions in getting rid of the bad stuff you were able to detect from previous logs... Cheers!

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:53 AM

Posted 28 January 2009 - 11:12 PM

Ok we'll we will need to run a few tools not used in this section. We will also remove PrcViewer. But I want to make no more changes to the PC.

We need to run HJT.
You should create a new HJT log. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know it it went OK !

Edited by boopme, 28 January 2009 - 11:13 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 rleem

rleem
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 28 January 2009 - 11:35 PM

Ok,

HJT log posted on that forum titled... "Next step: HJT log for system problems"

Not sure if you will be assisting me further or iif it will be another person, but thanks for all the assistance along the way!



ps. If it's someone else, do I need to alert them specifically to the PrcViewer issue or will that be obvious? this whole process is very interesting indeed....

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:53 AM

Posted 28 January 2009 - 11:52 PM

Hi you're very welcome . You will get someone else. I wanted to get it here but you need a few different tools with one on one supervision. Mention it to them anyway but not till after they respond to your post. You'll see why in my topic closing instructions. It's been my pleasure. If needed feel free to PM me.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Post in this thread when you haven't received an answer in five days.".

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users