Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with trojan


  • This topic is locked This topic is locked
8 replies to this topic

#1 JimSid

JimSid

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 23 February 2009 - 01:35 PM

I had at first been infected with MS antispyware 2009. I used a few spyware removal programs such as Superantispyware free edition and Malwarebytes antimalware which helped a little but did not remove all problems. I keep getting messages that I am infected from popup windows and my AVG scanner tells me I have an "Exploit rogue spyware scanner" but it cannot remove.

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 AM

Posted 23 February 2009 - 05:38 PM

Hello.

Please post the AVG report over here so we could see what it's detecting. Also run MBAM again. Update it first before scanning it using the "quick scan option" please.

Post them here once they are done.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 AM

Posted 24 February 2009 - 03:39 PM

Hello.

To reply use the Add reply button near the bottom. Please do not send me any more PMs, as I will ignore them next time. You may wish to look at this topic: http://www.bleepingcomputer.com/forums/f/82/new-user-orientation/

From your PM:

Please pardon if I am sending this thru the wrong channel. I am new to this site and am not sure of proper procedures. I do not know how to post my AVG report here but I can type in what it says

File c\documents and settings\Jim\temporary internet files\content.IE5\Q5QQFZ5B\Freescan{1}.htm
Infection Virus found FakeAlert
Result moved to virus vault


File c\documents and settings\Judy\temporary internet files\content.IE5\IT5HIAOUI\freescan[1].htm
Infection Virus found FakeAlert
Result moved to virus vault

Here is updated MBAM report requested.

"C:\Documents and Settings\Judy\Local Settings\Temporary Internet Files\Content.IE5\IT5H1AOU\freescan[1].htm";"Virus found FakeAlert";"Moved to Virus Vault"
Malwarebytes' Anti-Malware 1.34
Database version: 1798
Windows 5.1.2600 Service Pack 3

2/24/2009 9:02:42 AM"C:\Documents and Settings\Judy\Local Settings\Temporary Internet Files\Content.IE5\IT5H1AOU\freescan[1].htm";"Virus found FakeAlert";"Moved to Virus Vault"

mbam-log-2009-02-24 (09-02-42).txt

Scan type: Quick Scan
Objects scanned: 92972
Time elapsed: 7 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\CrucialSoft Ltd (Rogue.MSantispyware2009) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ms antispyware 2009 5.7 (Rogue.MSAntiSpyware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SmitFraudFixTool (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ms antispyware 2009 (Rogue.MSantispyware2009) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmitFraudFixTool (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Jim\Application Data\SmitFraudFixTool (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\SmitFraudFixTool\Log (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\SmitFraudFixTool\Settings (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\N4VUH56B\InstallAVg_881001[2].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\SmitFraudFixTool\rs.dat (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\SmitFraudFixTool\Log\2009 Feb 23 - 12_19_52 PM_000.log (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim\Application Data\SmitFraudFixTool\Settings\ScanResults.pie (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.

I will take a look at this and give you the instructions later. I am just posting this in case I forget later.. :thumbsup:

Thanks for being patient and I will get back to you ASAP.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 AM

Posted 24 February 2009 - 06:07 PM

Hello.

The files that AVG found were only Temporary Internet Files. That was detected as "fake-aleart" because that web-page you were on was probably a rogue/ad-related fake web page. Those files cannot do any harm but it's good that AVG removed it because what if you went to that page again accidentally such as when viewing your history etc...

MBAM removed that rogue you were talking about and another rogue it seems. What problems do you still have?

Please run SAS and Smitfraudfix. Also note that the Smitfraudfix you were using was the FAKE Smitfraudfix Tool. You need to be careful with these things. This was mentioned a few days ago over here: http://www.bleepingcomputer.com/forums/t/205151/smitfraudfixtool-falls-short-compared-to-the-real-thing/

Some nice reading. :thumbsup:

Run SmitFraudFix

You can find complete instructions for running SmitFraudFix in the link below:
http://www.bleepingcomputer.com/forums/t/17258/how-to-remove-the-smitfraud-generic-zlob-quicknavigate-virtual-maid/

I suggest your print these instructions out or save them somewhere so when you are in Safe Mode you can follow the instructions correctly.
  • Boot your computer into Safe Mode(Refer below on how to boot into Safe Mode) before we can run this tool.
  • Double click the icon(Smitfraudfix) to run it.
  • Select Option 2 by typing 2 and hitting Enter.
  • The scan will progress. Answer Yes to any prompts you receive. This will include running disk cleanup and removing infected files.
  • The tool will restart your computer.
  • Upon reboot, a log file located at C:\rapport.txt will open. Copy its contents into your next reply.
Boot Into Safe Mode

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use your arrow keys to navigate and highlight Safe Mode.
  • Hit Enter.
  • You will now be asked to choose your operating system. Again, use the arrow keys to select Microsoft Windows XP.
  • Hit Enter.
Your computer will proceed to booting into Safe Mode. During the boot process, you may see random code go past your screen. Simply wait for it to pass. Your computer should boot like usually, except with Safe Mode written in the corners of your screen. Your screen may also appear to be a different size because the video drivers are not loaded properly in Safe Mode.

After the boot, you will be asked whether you wish to use system restore, or to continue to Safe Mode. Select OK to choose Safe mode.

Download and Run SUPERAntiSpyware
We will run a scan with SuperAntiSpyware.
  • Download SUPERAntiSpyware to your desktop.
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation. Delete the installer after use.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates".
    If you encounter any problems while downloading the updates, manually download and unzip them from here.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under Scan for Harmful Software, click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive (or whatever drive your system is installed on).
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
  • Make sure everything has a checkmark next to it and click Next.
  • A notification will appear saying that "Quarantine and Removal is Complete". Click OK and then click the Finish button to return to the main menu.
  • If asked if you want to reboot, click Yes.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Post back with:
-SmitfraudFix report
-SAS scan log
-What problems do you still have?


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 JimSid

JimSid
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 25 February 2009 - 10:42 AM

First, My apologies for using a PM to respond. In my haste to fix my virus problems I did not spend the time needed to read all the instructions for how to use this forum. I have probably done more harm than good by trying to download various fixes that I found on Google searches i.e The fake SmitFraud before I recieved your help and I am sorry for that also.
Now back to my problem. Below are the SAS report and the Smitfraud fix report you requested. Unfortunatly neither fixed my problem. The popups even appeared in safe mode after I ran Smitfraud. Some examples of the popups are as follows.

1. You have a security problem! Do you want to scan for viruses.
2. My Computer window with a fake scanning device all over a blue backround.
3. Internet Explorer window saying Warning your computer contains various signs of virus and malware. Antivirus 360 will perform free scan.

My AVG responds with windows also. Examples are,

1 .AVG resident shield alert. multiple threat detection
File C:\WINDOWS\SYSTEM32\userinit.exe
Infection Trojan horse generic 12.BUNE
Result Object is in whitelist
Process name C\windows\explorer.exe

2 AVG web shield alert
File scanstabilityonline.com/index.php?affid=08100
File spywareremover2009plus.com/2009/140/?
File bestvirusremover2009.com/js/params.js
Threat name Exploit Rogue spyware scanner
Process name C\program files\Internet Explorer\explore.exe Process ID 2296

I hope this Information helps. Thanks again Jim SmitFraudFix v2.398

Scan done at 23:37:37.04, Tue 02/24/2009
Run from C:\Documents and Settings\Jim\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

207.210.117.53 www.winmx.com

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\Tasks\At?.job Deleted
C:\WINDOWS\Tasks\At??.job Deleted

IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A1114240-5120-463C-BEDA-01C887325871}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A1114240-5120-463C-BEDA-01C887325871}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A1114240-5120-463C-BEDA-01C887325871}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/25/2009 at 02:17 AM

Application Version : 4.25.1012

Core Rules Database Version : 3774
Trace Rules Database Version: 1733

Scan type : Complete Scan
Total Scan Time : 02:28:43

Memory items scanned : 234
Memory threats detected : 0
Registry items scanned : 6602
Registry threats detected : 0
File items scanned : 78853
File threats detected : 11

Adware.Tracking Cookie
C:\Documents and Settings\Jim\Cookies\jim@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\Jim\Cookies\jim@ad.yieldmanager[1].txt
C:\Documents and Settings\Jim\Cookies\jim@adbrite[2].txt
C:\Documents and Settings\Jim\Cookies\jim@adtrafficsolution[1].txt
C:\Documents and Settings\Jim\Cookies\jim@doubleclick[1].txt
C:\Documents and Settings\Jim\Cookies\jim@kontera[1].txt
C:\Documents and Settings\Jim\Cookies\jim@questionmarket[2].txt
C:\Documents and Settings\Jim\Cookies\jim@revsci[2].txt
C:\Documents and Settings\Jim\Cookies\jim@statcounter[1].txt
C:\Documents and Settings\Jim\Cookies\jim@xiti[1].txt
C:\Documents and Settings\Judy\Cookies\judy@adtrafficsolution[1].txt

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 AM

Posted 25 February 2009 - 04:31 PM

Hello.

That's odd. Smitfraudfix usually should have removed this infection. Also SAS should of detected something and it didn't, only some cookies involved.

I would like you to run a GMER scan for me and then we will decide what to do. We may need to move you to the HJT-Malware Remova forum as I cannot see anything currently with the scan logs..

Those webpages are rogue sites and therefore please do not download or use those products. AVG detected them because you probably got redirected to that site and that site is a rogue site and that was why it dected your Iexplorer as "bad".

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
  • After the reboot, run Gmer again and click on the Rootkit tab.[list]
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 JimSid

JimSid
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 27 February 2009 - 08:42 AM

Hello I did not hear from you yesterday so I am reposting the GMER log in case it did not go thru the last time. I am not very computer savy but there does not seem to be much on it. I hope it helps. Thanks again for your help. Jim


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-25 23:48:06
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF4E27F20]

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

Device \FileSystem\Fastfat \Fat B88A9D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.14 ----



#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 AM

Posted 27 February 2009 - 05:02 PM

Hello again.

You may want to start another topic in the Malware Removal forum because I cannot see any logs that show where the active loading point is. Just an FYI, the GMER log was clean.

Preparation Guide before Posting: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
HJT-Malware Removal forum: http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
What to do when you do not have a reply for 5 days: http://www.bleepingcomputer.com/forums/t/176012/post-in-this-thread-when-you-havent-received-an-answer-in-five-days/

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:59 AM

Posted 01 March 2009 - 03:05 AM

Hello JimSid,

Now that you have a log posted here: http://www.bleepingcomputer.com/forums/t/207124/trojan-horse-generic-12bune/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users