Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected XP SP3, Kaspersky doesn't update, AVG updates disabled, spybot S&D doesnt start, links redirected, popup http://mtn5.goole


  • Please log in to reply
7 replies to this topic

#1 florianffm81

florianffm81

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 12 February 2009 - 05:17 PM

I'm running Windows XP Professional with Service Pack 3. Used Spybot S&D to immunize against common risks and ad-aware. My girlfriend tried to start an .exe which she downloaded from the internet. My pc started to change the normal behaviour and i noticed it yesterday. It found some malware on some of those files. Yesterday on the evening i deleted some of the downloaded files and checked my pc again. The amount of "hits" seem to explode. Didnt expect any trouble after cleaning with Ad-Aware. Afterwards tried to use Spybot Search and Destroy. It didnt even load. Ad-Aware and Malwarebytes both told me to check my internet connection even though i'm currently online while updating with no effect. " Afterwards i restarted pc with safe mode and did a full scan twice with AVAST. It took hours. It found win32: pakes-app (TRI) and win32: Trojan-gen {other}. I couldnt delete them with AVAST! Antivirus so i deleted them manually. Then i searched again with ad aware and didnt found anything.

And tried to update again. Still same trouble and except Avast! and AdAware most anti-virus programs didnt even start.

Afterwards i tried Kaspersky online scanner.

Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program.You must be online to update the Kaspersky Online Scanner 7 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7. [ERROR: Failed to connect to update source]
"

I uninstalled Spybot S&D and I couldnt manage to update it after reinstalling. Ad Aware was impossible to update as well.

Google started to redirect after i tried to load it. Several sites did same. Some google hits were misspelled and Ascii characters were shown instead :" Ascii-button_for_ä instead ä or Ascii-button_for_ü instead ü ." If i post those ascii characters here the forum just show them as ä or ü.

So it looks all totally messed up when i try to use my search engine. Also some search hits seem to miss its content. (No description is shown, just a green link after i googled something) I had also problems opening a few links because of redirects. With my other pc im able to open them without problem.

Also i get advertisement popups from mtn5.goole ,
p.directaclick.com/popup2.php?r=4W4QQx%27%60~%26RZQWZbW4cPR%23%26W%23EQ}P%60%60x}G%40QgZxQ

and several other sides.


Now its impossible to open my local hard drives. (c:\ d:\ etc.) i cant open them with double click. I get the following
error message "Recycler\S-4-8-97-100017807-100000006966-100011417-100011417-1126.com" couldnt be found. Check if the name is misspelled and redo. Click start and afterwards search to find a file.

And if thats not even worse enough my friends complain that they get weird links sended over my MSN Account. They got asked from my account if they wanna see pictures of our last party. They got the opportunity to press a link and enter their MSN Accountname and Password to log in.

Now i received an email to my mail adress that my account got hacked.

Ive just seen that my Laptop got same trouble. Sadly I used my external drive on both pc so i cant say if they got infected through external drive or network. We got a 3rd PC which isnt infected at the moment and is still online.

I would appreciate any help! Im sorry for my english. I hope you understand me.


Edit: Links disabled, to preclude possible infection. ~tg

Edited by tg1911, 12 February 2009 - 08:42 PM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:20 PM

Posted 12 February 2009 - 08:32 PM

We got a 3rd PC which isnt infected at the moment and is still online.


I would keep the other 2 computers isolated from it

Use the clean computer to download the latest installer and definitions to

Please download Malwarebytes Anti-Malware (v1.32) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Burn them to CD or transfer to an uninfected USB jump drive

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
Chewy

No. Try not. Do... or do not. There is no try.

#3 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:20 PM

Posted 12 February 2009 - 08:35 PM

Can you access my computer with safe mode on the infected computers

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.
Chewy

No. Try not. Do... or do not. There is no try.

#4 florianffm81

florianffm81
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 13 February 2009 - 02:19 AM

Thanks for your fast help.
Sadly I've to go to work for a couple hours and will be back later. I'll send n reply if everything worked.

#5 florianffm81

florianffm81
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 13 February 2009 - 02:32 PM

Malwarebytes' Anti-Malware 1.34
Datenbank Version: 1736
Windows 5.1.2600 Service Pack 3

13.02.2009 20:45:08
mbam-log-2009-02-13 (20-45-08).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 77621
Laufzeit: 2 minute(s), 11 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 3
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 20
Infizierte Verzeichnisse: 0
Infizierte Dateien: 13

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\coolplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{09c29d2d-a1c2-4578-9356-725a2ea79b1e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{09c29d2d-a1c2-4578-9356-725a2ea79b1e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7b27cc11-ffb3-4c90-a281-2f5aeb5a724a}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cdb2fdd2-1685-4751-8c29-24f3f2c0a4ee}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{09c29d2d-a1c2-4578-9356-725a2ea79b1e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{09c29d2d-a1c2-4578-9356-725a2ea79b1e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7b27cc11-ffb3-4c90-a281-2f5aeb5a724a}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cdb2fdd2-1685-4751-8c29-24f3f2c0a4ee}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.167,85.255.112.168 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{09c29d2d-a1c2-4578-9356-725a2ea79b1e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.167,85.255.112.168 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{09c29d2d-a1c2-4578-9356-725a2ea79b1e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.167,85.255.112.168 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7b27cc11-ffb3-4c90-a281-2f5aeb5a724a}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.167,85.255.112.168 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{cdb2fdd2-1685-4751-8c29-24f3f2c0a4ee}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.167,85.255.112.168 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{09c29d2d-a1c2-4578-9356-725a2ea79b1e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{09c29d2d-a1c2-4578-9356-725a2ea79b1e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{7b27cc11-ffb3-4c90-a281-2f5aeb5a724a}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{cdb2fdd2-1685-4751-8c29-24f3f2c0a4ee}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\WINDOWS\Temp\tempo-1290640.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-1290906.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-6569453.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-6569687.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gaopdxyuyapscd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxekvebklx.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxhahsxntq.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxkftivwqj.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxmexrgqai.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxmvxoxepf.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxmyxkdjar.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxuysegtop.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxvngslviq.sys (Trojan.Agent) -> Quarantined and deleted successfully.


Cleaned my Desktop PC and both Laptops. Also used disinfector to secure flash devices. Installed Spybot S&D with newest update and checked every pc again. Cleaned them and checked with Kaspersky again.
Everything is working at the moment. No Advertisement ads, no redirection and alle drives are working correctly.

Edited by florianffm81, 13 February 2009 - 05:55 PM.


#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:20 PM

Posted 13 February 2009 - 08:41 PM

What symptoms remain?

Can you update MBAM and your other security programs?

MBAM is up to 1761

Edited by DaChew, 13 February 2009 - 08:42 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#7 florianffm81

florianffm81
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 14 February 2009 - 05:09 PM

There was no problem in updating my security software. Thanks for your help.

Something is still ugly. Looks like someone got my msn account hacked with the virus ive had if this is possible? Friends told me that they got a link sent by myself while my pc is offline. Its a suspicious link redirecting maybe to malware infected site. (MSN + Wikipedia under security) Msn is logging off from time to time and its written that another user is logging in with my msn account on an other pc. Now I got an email that my Mail account got hacked. Changed password but still im getting mails in gmx from myself to myself with "spam".

Any suggestions?

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:20 PM

Posted 14 February 2009 - 05:27 PM

That's how some malware spreads, it had total access to your machine and any confidental information
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users