Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ms-antispy-09 AND computer keeps shutting down


  • Please log in to reply
2 replies to this topic

#1 goofer

goofer

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 02 February 2009 - 02:12 PM

Hi,

My OS: Windows XP sp3

I found that I had ms-antispy 2009 installed on my computer. I believe this happened because I was stupid enough to install a program that popped up (and I downloaded/installed) when I visited a site. Right away a bunch of cmd windows opened up (3 I think) so I closed them. I open TaskMangaer and looked under processes and I noticed a few running processes which shouldn't be there like "a.exe", "b.exe", etc. I stopped those processes but they kept restarting in the background.

At this point I didn't notice them running in the background so I kept surfing as I didn't think there was a problem. I was googling and when I clicked on a link for a site (e.g. www.site-xyz.com) I was re-directed to other 'search' sites, not to the site I wanted. Also, at some point I was redirected to a page claiming to be "STOPzilla" anti-spyware. Me being a dumbass downloaded it and tried to install it. When I tried to install STOPzilla nothing happened (I noticed) but now there is a shortcut for STOPzilla on my desktop but I can't find it in my ADD/REMOVE programs under Control Panel, nor is it in the "Start" menu.

My browser was also being hijacked when I clicked links on websites (other than google).

To fix the website hijacking I had to right click on a link (if on a website), and copy link, then paste in into URL bar and I could visit site www.site-xyz.com. This was also my fix for sites I found with google. I had to copy/past the URL from google into my URL bar.

At this point I was getting really annoyed and I noticed my firewall asked if ms-antispy 2009 can connect to the internet (as m*2009.exe). I thought that was weird so I didn't allow it to connect.

Then I thought I would restart my computer. Once my desktop was loaded my computer restarted after about 30 seconds by itself.

So I went into safe mode with networking and googled to find what m*2009.exe was. I found out it is of course ms-antispy 2009. But when I clicked on a google link to visit http://www.bleepingcomputer.com/malware-re...-antivirus-2009 my browser (firefox) said 'connection refused'. This happened every time I tried to visit well known anti-spyware/anti-virus sites like Malwarebytes, etc. It happened if I used Firefox or IE. I could not even download the Malwarebytes program Anti-Malware via a direct link in safe mode. I tried copy/pasting www.bleepingcomputer.com (from google) but I still got the "connection refused" page. The same thing happened when I tried to reach http://www.bleepingcomputer.com/malware-re...-antivirus-2009 via a link from a website (not google). I assumed the spyware was using URL redirection/blocking so I tried entering the IP for www.bleepingcomputer.com and I still got the 'connection refused' error.

Finally I was able to download Malwarebytes Anti-Malware from download.com (or similar). I also downloaded SuperAntispyware. Both of which I should be able to install in safe mode but neither would install in safe mode. So I restarted into normal mode and quick like a bunny I installed Malwarebytes, but while it was almost done "registering files" (during install) my computer restarted.

So after I (partially) installed Malwarebytes I rebooted back into safe mode and ran Malwarebytes. It found lots of spyware and it found ms-antispy 2009. But, I ran a full scan with SpySweeper a day before I got infected and my system was 100% clean. So I assume all the "new" spyware are from the one file I downloaded and installed. Malwarebytes was able to remove most of the files but I had to restart to remove the rest. So I restarted into normal mode and once my computer restarted by itself :thumbsup: I went back into safe mode and ran Malwarebytes again. This time Malwarebytes found a little more spyware reg keys and files but it was able to delete them. Funny thing is AFTER I ran Malwarebytes in safe mode I could install SUPERanti-spyware while in safe mode.

So after all that I restarted back into normal mode and yep, once again my computer restarted...grrrr! I went back to safe mode and tried surfing but I still was getting my websites hijacked to random 'search' sites or (I assume) a fake site for STOPzilla.

When I ran Malwarebytes the first time I tried to update the definitions but I was unable to. Now I found the link for manual updating of definitions so I'll try that in safe mode once I get home.

SO what am I doing wrong/not doing? Can anyone help me please? Thanks for your time! :flowers:

BC AdBot (Login to Remove)

 


#2 goofer

goofer
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 02 February 2009 - 06:52 PM

Hey all,

I thought now that I'm home I should post the Malwarebytes Mbam logs (I hope that's OK). Maybe someone can help me...right now I can't use my computer at all. It reboots about 1-2minutes after the desktop has loaded. I am in graduate school and I NEED my computer and the files on it. Thanks.

I ran Mbam twice (1st time Quick, 2nd time Full) and it kept finding items. Then I updated the definitions with "mbam-rules.exe". After updating I ran Quick mode again and found a lot more items. After that 3rd running of mbam I ran it one last time (4th) run and it didn't find any items. I had to run Mbam from safe mode each time.


Thanks so much!!! :thumbsup:


Here is the log from the 1st run (Quick) of Mbam:

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

2/1/2009 7:55:49 PM
mbam-log-2009-02-01 (19-55-49).txt

Scan type: Quick Scan
Objects scanned: 47852
Time elapsed: 3 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 6
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d5bf4552-94f1-42bd-f434-3604812c807d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ms antispyware 2009 5.7 (Rogue.MSAntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MSFox (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d5bf4552-94f1-42bd-f434-3604812c807d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ms antispyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSFox (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cognac (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tezrtsjhfr84iusjfo84f (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\BASE (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\gsdrgfdrrgnd.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090201095926750.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090201124947406.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090201151124656.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090201152105531.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ACVJ40DQ.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\a.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\~tmpa.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\~tmpb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\~tmpd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\jared-admin\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.







Here is the log from the 2nd running (Full) of Mbam:

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

2/1/2009 8:38:41 PM
mbam-log-2009-02-01 (20-38-41).txt

Scan type: Full Scan (C:\|)
Objects scanned: 113804
Time elapsed: 29 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)






And finally here is the 3rd running (Quick) of Mbam, this one is with the latest definitions:

Malwarebytes' Anti-Malware 1.33
Database version: 1714
Windows 5.1.2600 Service Pack 3

2/2/2009 5:48:27 PM
mbam-log-2009-02-02 (17-48-27).txt

Scan type: Quick Scan
Objects scanned: 48677
Time elapsed: 3 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d5bf4552-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf4552-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5bf4552-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\a5db9911 (Backdoor.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\a5db9911 (Backdoor.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\a5db9911 (Backdoor.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\a5db9911 (Backdoor.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d5bf4552-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ACVJ40DQ.exe (Trojan.Obvod) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\a5db9911.sys (Backdoor.Rustock) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\c.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\winlognn.exe (Trojan.Dropper) -> Quarantined and deleted successfully.



#3 goofer

goofer
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 02 February 2009 - 10:50 PM

OK it just happened again...I lost all access to www.bleepingcomputer.com/ !!! I think a spyware/virus is intentionally blocking access to this site...read on please...

The reason I'm posting this is I keep getting blocked while trying to access to this site. I assume the MODs/ADMINs want to know that (seemingly) this site is being blocked by some kind of spyware/virus. I thought it might be a DNS issue but I didn't flush DNS I just ran Mbam and magically I could access this site again with Firefox and IE8beta...so to me that doesn't seem like a DNS issue.

I'm pretty positive that it's a spyware/virus blocking access to this site, giving me permission denied erros. I'm definitively not misspelling the site because it was bookmarked. Besides, even if I did mispell it my ISP does DNS hijacking, that means I would have seen my ISP's 'search' page offering differnt spelling suggestions and sites. I have not once seen my ISP's DNS hijack, it's always the permisson denied error. But, after I ran Mbam (and could access this site again) I tried misspelling this site's URL and sure enough my ISP hijacked my DNS and sent me to their 'search' page.

During the time period when I can not access this site I am still able to access google and many other sites, just not spyware/virus removal orientated sites...

When I started Firefox and tried to access this site/forum (via a bookmark) I got an error which read "permission denied". At www.bleepingcomputer.com and www.bleepingcomputer.com/forums. I also tried with IE 8beta and I was unable to access this site. IE gave me the 'unable to connect' error.

So I ran Mbam AGAIN *sigh* and I got two more spyware/virus items. This is after I ran Mbam and had zero spyware items...wierd huh?

To make matter worse my computer will not boot past the initial loading phase. My screen turns blue and then the message box appears saying Loading windows (or somethign). But the login/user box never appears. The bootup hangs once the screen turns blue (the background). So now I'm even more stressed, I can't even start up my computer! I am using safe mode right now but I don't like using it to surf...


My eternal gratitude to anyone who can help me!

Here is my 5th running (Quick) of Mbam:

Malwarebytes' Anti-Malware 1.33
Database version: 1714
Windows 5.1.2600 Service Pack 3

2/2/2009 7:23:51 PM
quick-mbam-log-2009-02-02 (19-23-18).txt

Scan type: Quick Scan
Objects scanned: 48654
Time elapsed: 3 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users