Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Protect 2009 infection


  • This topic is locked This topic is locked
10 replies to this topic

#1 ohiotech

ohiotech

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 04 March 2009 - 07:34 PM

A few days ago, my computer starting displaying alerts to buy SpywareProtect 2009. I did not purchase it and after reading on a different site some advice about getting rid of it, I ended the process from the taskbar and deleted one of it's executable files. That eliminated the pop ups but problems persisted. I attempted to run Malwarebytes but the system wouldn't let me do it. I read on the forums here about renaming mbam.exe to mbam.com and after doing so, it ran. Unfortunately I still have erratic computer behavior. I can't go to certain sites unless I type in the address in my browser and I still can't run mbam without renaming it. Also when visiting certain sites my Firefox browser just closes down by itself.

I just ran my Norton Antivirus and it can't find anything. Every time I now run Malwarebytes it finds something, I delete them, restart the computer and they come back. I believe I am using the latest version of Malwarebytes (version 1.34 from Feb 21).Here is the latest output from Malwarebytes. Please help.

Malwarebytes' Anti-Malware 1.34
Database version: 1793
Windows 5.1.2600 Service Pack 2

3/4/2009 6:27:45 PM
mbam-log-2009-03-04 (18-27-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 201160
Time elapsed: 1 hour(s), 29 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.222 85.255.112.178 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e7fd22cf-9b01-48fc-ac4d-c760c7b468cf}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.222 85.255.112.178 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.222 85.255.112.178 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e7fd22cf-9b01-48fc-ac4d-c760c7b468cf}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.222 85.255.112.178 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.222 85.255.112.178 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{e7fd22cf-9b01-48fc-ac4d-c760c7b468cf}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.222 85.255.112.178 1.2.3.4 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:22 AM

Posted 04 March 2009 - 08:00 PM

Update MBAM to the newest definitions, use the update tab in the program window, run another quick scan but run ATFCleaner first

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


After a reboot if required to remove files, please run Smitfraudfix as a scan

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Chewy

No. Try not. Do... or do not. There is no try.

#3 ohiotech

ohiotech
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 04 March 2009 - 09:54 PM

I was able to run ATF Cleaner. I downloaded SmitfraudFix.exe. When I went to run it, I received the error box that said "SmitfraudFix.exe has encountered a problem and needs to close......" I rebooted (even though it wasn't required) and tried running SmitfraudFix again but had the same error message

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:22 AM

Posted 04 March 2009 - 10:08 PM

uacinit.dll , following a few threads with this infection showed where smitfraudfix would not run and in those cases requires the use of tools we don't use in this forum. Those tools take the expert supervision of trained helpers.

I would suggest postinng a log in the HJT forum

Follow these directions

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If you need help just ask here

Edited by DaChew, 04 March 2009 - 10:08 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#5 ohiotech

ohiotech
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 04 March 2009 - 10:20 PM

OK. I'll go over there and give it a try. From what you have read about this problem, do you think it is something that can be fixed?

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:22 AM

Posted 05 March 2009 - 12:07 AM

Can you update and run a new MBAM scan?
Chewy

No. Try not. Do... or do not. There is no try.

#7 ohiotech

ohiotech
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 05 March 2009 - 07:29 AM

Not directly from the Mbam application on the infected computer. I downloaded the most recent version of mbam on another computer, put it on a USB stick and loaded that version on the infected computer, renamed it to mbam.com and after several reboots, it ran. Does that mean I ran the latest version of mbam?

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:22 AM

Posted 05 March 2009 - 08:02 AM

Database version: 1793


yours

Malwarebytes' Anti-Malware 1.34
Database version: 1820


mine

You will have to update a clean computer that is connected to the internet and transfer the file

Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.


Show Hidden Folders/Files
  • Open My Computer.
  • Go to Tools > Folder Options.
  • Select the View tab.
  • Scroll down to Hidden files and folders.
  • Select Show hidden files and folders.
  • Uncheck (untick) Hide extensions of known file types.
  • Uncheck (untick) Hide protected operating system files (Recommended).
  • Click Yes when prompted.
  • Click OK.
  • Close My Computer.

Edited by DaChew, 05 March 2009 - 08:03 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#9 ohiotech

ohiotech
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 05 March 2009 - 01:42 PM

When I try to obtain the latest version of Mbam using a clean computer, is it ok to download mbam.exe directly to a usb stick and transfer just mbam.exe to the infected computer (that's what I did a few days ago) or do I have to actually install mbam on the clean computer and run an update? If I have install and update, what file do I transfer over to the infected computer and once I transfer the file, how do I use it to update the infected computer?

Thanks for your help.

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:22 AM

Posted 05 March 2009 - 05:08 PM

After you install MBAM and update MBAM on the clean computer you go to that location in my quote, reread it!
You take that file to the infected computer and place it in the same place that it was on the clean computer
Chewy

No. Try not. Do... or do not. There is no try.

#11 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,806 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:22 AM

Posted 05 March 2009 - 09:30 PM

Hello ohiotech,

I see that you have an HJT log posted here: http://www.bleepingcomputer.com/forums/t/208514/spyware-protect-2009-infection-leaving-file-uacinitdll/

We do not allow more than one topic for the same computer and the same issue as this causes confusion, and in this case may make the disinfection process more difficult.

This leaves you with a choice:

1) Have this thread reopened to continue here and the HiJack This log topic deleted

OR

2) Keep this thread closed and wait for assistance in the HiJack This log forum. Please note that that forum is VERY busy.

Please send a Private Message indicating your choice.

Assuming you wish assistance in the HiJack This forum, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users