Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Super Spyware 2009


  • Please log in to reply
4 replies to this topic

#1 LouS

LouS

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 21 February 2009 - 02:42 AM

I have had pretty good luck the past few years with viruses. Unfortunately, this is my second issue within the past couple of months. I appreciate BleepingComputer.com's help in resolving my first issue and I hope I will be as fortunate this time.

A couple of days ago I had a pop-up for "Super Spyware 2009" show up on my screen. I ran Malware Bytes and had the following log:

Malwarebytes' Anti-Malware 1.33
Database version: 1760
Windows 5.1.2600 Service Pack 3

2/19/2009 11:47:31 PM
mbam-log-2009-02-19 (23-47-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 137421
Time elapsed: 52 minute(s), 28 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
C:\WINDOWS\sysguard.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system tool (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: digeste.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\twex.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\twex.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ben Lynch\Local Settings\Temp\UAC42cf.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACaoroylkg.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\UACdwoomvjm.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\UACwyltodht.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\UACdnjnreod.sys (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wpv041235086889.cpx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\digeste.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twex.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\sysguard.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACspqlkfwv.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACtjnpwpyn.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACyotxmodj.log (Trojan.Agent) -> Delete on reboot.

I thought I had taken care of the problem, but the past two nights AVG blocked the following:

"C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP41\A0007296.dll";"Trojan horse FakeAlert.HC";"Moved to Virus Vault"
"C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP41\A0007297.dll";"Trojan horse FakeAlert.GL";"Moved to Virus Vault"
"C:\WINDOWS\Temp\125.tmp";"Trojan horse Pakes.AP";"Moved to Virus Vault"
"C:\WINDOWS\Temp\128.tmp";"Trojan horse Pakes.AP";"Moved to Virus Vault"

My latest Malware Bytes scan didn't find anything. Any suggestions?

Thank you in advance.

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:14 PM

Posted 21 February 2009 - 09:22 AM

Rootkit.TDSS

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

Let me know how you wish to proceed.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 LouS

LouS
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 21 February 2009 - 01:18 PM

Rigel,

Thanks for your help. I think it is time to re-format. I haven't ever re-formatted a computer before. Is there a good guide of what I should transfer over to my external hard drive so I don't lose any important files? Obviously, pictures, music, address books, etc. Then I started thinking about my bookmarked websites and other things that didn't cross my mind immediately. Also, how can I be sure that something I transfer over to my external hard drive isn't infected?

I understand that these are very novice questions, but any suggestions would be appreciated!

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:14 PM

Posted 22 February 2009 - 09:49 AM

Some would say you could never trust any files moved. The infection you have should leave your documents and pictures alone. I would recommend anything you move be scanned with Malwarebytes and antivirus before restoring to your clean install.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 miszt

miszt

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 22 February 2009 - 04:50 PM

I've just discovererd this on my system, meep!! Not happy, and a little confused how it got on there, I have two setups (xp and vista) on my machine, Windows XP now loads up and demands I activate it again, which was the first odd thing I noticed, however when I clicked Yes, the activation window crashes and I end up back at the login. I ran a quick scan of the XP partition and a few of the fakealert dll's appeared on the xp drive

Obviously as I have this trojan I need to format and reinstall XP, but I really hope I wont have to do that with my vista install...any idea if vista has any protection against this? the vista install is on the same drive, so I'm guessing not much, although security is better, pherhaps it will refuse access to the registry and never get installed...? I have AVG running, which I hope will pick up on any attempted installation...reinstalling xp and vista will me a massive task i really dont have time for eek

Edited by miszt, 22 February 2009 - 04:51 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users