Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Am Impressed With The Mailware On My System.


  • Please log in to reply
8 replies to this topic

#1 Joshuah

Joshuah

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 05 March 2009 - 04:25 PM

Hi All,

I am running windows XP service pack 3. I have NOD32 installed and running on my system. I also have malwarebytes Anti-malware program (since the newest piece of Mailware, i upgraded to this program. I used spybot search and destroy in the past. I keep getting targeted popup on my computer. If i am at a schools web page, a page for other schools will pop up. If i am searching for something on google shopica search results will pop up. If i click on anything moments later a pop up will appear advertising something related to what i click.

I have run spybot search and destroy, it found quite a few infected files. I then restarted in safe mode again, and it found a few more. The next day i saw i was still getting pop ups. I uninstalled spybot in installed Malwarebytes, i did a full scan, and then restarted in safemode and did a scan again. I do this every day and every day it finds 2 registry key entry's.

at the moment i am running Microsoft Malicious Software Removal Tool. After this is done, i will restart in safemode and run the program again.


does anyone have any more suggestions on what to do?


Thanks for any and all help.

~Josh :thumbsup:

BC AdBot (Login to Remove)

 


#2 Joshuah

Joshuah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 05 March 2009 - 04:49 PM

After viewing the rest of the forums, i see i have put this in the wrong place. Please feel free to move it.


thanks,
~josh

#3 Swordie

Swordie

  • Members
  • 792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miami, Florida
  • Local time:08:14 AM

Posted 05 March 2009 - 05:06 PM

Well, I have informed them to move to the correct forum.

I'll attempt to help you. I would suggest installing MBAM. It is a Anti-Malware software. Here are the instructions:

1. Go to this link: MalwareBytes Anti-Malware
2. Download and Install MalwareBytes.
3. After the Installation process, update the program. There will be an option for it.
4. Now, click "Perform a Quick Scan". It is the first option.
5. Return here with results.
Who said I couldn't have everything?

#4 Joshuah

Joshuah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 05 March 2009 - 05:10 PM

Well, I have informed them to move to the correct forum.

I'll attempt to help you. I would suggest installing MBAM. It is a Anti-Malware software. Here are the instructions:

1. Go to this link: MalwareBytes Anti-Malware
2. Download and Install MalwareBytes.
3. After the Installation process, update the program. There will be an option for it.
4. Now, click "Perform a Quick Scan". It is the first option.
5. Return here with results.


I appreciate the help but did you even read my post? :thumbsup: :flowers: :trumpet:

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:14 AM

Posted 05 March 2009 - 05:15 PM

Hello.

@Swordie
He has already downloaded and installed MBAM and ran it already and says he always find 2 registry key entries, so I don't think running it again/installing it will be necessary.

@Joshuah
Let's do the following please.

Post back with the MBAM log you have ran (the latest log file please)

Next please create and run the follow batch file.

Backup Registry with ERUNT

This tool will create a complete backup of your registry. A backup is created to ensure we have backup so encase anything goes wrong we can deal with it. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt


How to Restore from the ERUNT Backup
Only restore from the backups if instructed to, or you need to do so. You need it if after doing something, your computer will only boot in Safe Mode and you are unable to contact us (or anyone else) for help by other means, or if your computer will not boot into Windows at all.

To restore if you can boot, navigate to C:\WINDOWS\erdnt, choose the folder with the most recent date, and double click ERDNT.EXE. Check all boxes in the restoration options.

To restore from the Recovery Console using the Windows CD:
  • Turn on your machine with the disk in the drive.
  • Type in the number of the Windows installation you want to repair (usually 1), then press Enter.
  • Type in the Administrator password (leave blank if you are unsure what it is or if you do not have one) and press Enter.
  • Type without quotes "cd erdnt" followed by Enter.
  • Type without quotes "dir" followed by Enter. This will list out the available folders, whose names are the date on which the backup was taken in (M)M-DD-YYYY format. Try the most recent dates first.
  • Type without quotes "cd **name of the folder**" followed by Enter.
  • Type without quotes "batch erdnt.con" followed by Enter.
  • Type without quotes "exit" followed by Enter.
  • Remove your CD from the drive and reboot your computer into the restored registry. If you still cannot boot, try again with an earlier restore date.

Create and Run batch script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".

    @Echo off

    If exist "C:\looking.txt" Del /q /s "C:\looking.txt"
    reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32" >> C:\looking.txt
    Notepad C:\looking.txt

    Exit

    Del %0

  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input peek.bat.
  • Hit OK.
When done properly, the icon should look like Posted Image for the .bat file.

Double click on peek.bat, and Black DOS window shall appear and then notepad will soon open. This is normal please do not panic. Once it's complete copy and paste the contents of notepad in your next reply.

Note: If you closed notepad accidentally, it can also be found at C:\looking.txt

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 Joshuah

Joshuah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 05 March 2009 - 05:33 PM

extremeboy,

Thank you great directions, idiot proof!

Looking.txt Info...

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32
midimapper REG_SZ midimap.dll
msacm.imaadpcm REG_SZ imaadp32.acm
msacm.msadpcm REG_SZ msadp32.acm
msacm.msg711 REG_SZ msg711.acm
msacm.msgsm610 REG_SZ msgsm32.acm
msacm.trspch REG_SZ tssoft32.acm
vidc.cvid REG_SZ iccvid.dll
vidc.I420 REG_SZ msh263.drv
vidc.iv31 REG_SZ ir32_32.dll
vidc.iv32 REG_SZ ir32_32.dll
vidc.iv41 REG_SZ ir41_32.ax
vidc.iyuv REG_SZ iyuv_32.dll
vidc.mrle REG_SZ msrle32.dll
vidc.msvc REG_SZ msvidc32.dll
vidc.uyvy REG_SZ msyuv.dll
vidc.yuy2 REG_SZ msyuv.dll
vidc.yvu9 REG_SZ tsbyuv.dll
vidc.yvyu REG_SZ msyuv.dll
wavemapper REG_SZ msacm32.drv
msacm.msg723 REG_SZ msg723.acm
vidc.M263 REG_SZ msh263.drv
vidc.M261 REG_SZ msh261.drv
msacm.msaudio1 REG_SZ msaud32.acm
msacm.sl_anet REG_SZ sl_anet.acm
msacm.iac2 REG_SZ C:\WINDOWS\system32\iac25_32.ax
vidc.iv50 REG_SZ ir50_32.dll
msacm.l3acm REG_SZ C:\WINDOWS\system32\l3codeca.acm
wave REG_SZ serwvdrv.dll
wave1 REG_SZ wdmaud.drv
midi REG_SZ wdmaud.drv
mixer REG_SZ wdmaud.drv
msacm.ac3filter REG_SZ ac3filter.acm
vidc.divx REG_SZ divx.dll
vidc.yv12 REG_SZ divx.dll
vidc.xvid REG_SZ xvidvfw.dll
vidc.ffds REG_SZ ff_vfw.dll
vidc.vp60 REG_SZ vp6vfw.dll
vidc.vp61 REG_SZ vp6vfw.dll
vidc.vp62 REG_SZ vp6vfw.dll
vidc.hfyu REG_SZ huffyuv.dll
msacm.at3 REG_SZ atrac3.acm
msacm.divxa32 REG_SZ DivXa32.acm
vidc.mjpg REG_SZ pvmjpg30.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32\Terminal Server


Malware Bytes Log File

Malwarebytes' Anti-Malware 1.34
Database version: 1811
Windows 5.1.2600 Service Pack 3

3/3/2009 3:25:02 PM
mbam-log-2009-03-03 (15-25-02).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 229878
Time elapsed: 1 hour(s), 19 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:14 AM

Posted 05 March 2009 - 05:49 PM

Hello.

Does the redirect/pop-ups occur in only Firefox or IE or both?

Let's remove those two registry keys that MBAM didn't.

Download and Run Script with Swreg.exe
  • Please download SWREG.exe, and save it to your C:\Windows Directory please.
In case you are using Firefox and it get's saved directly onto your desktop do the following:
  • Please copy and paste Swreg.exe to your C:\Windows directory.
  • After you have pasted Swreg.exe into your C:\Windows directory you may delete the other copy on you desktop
  • We need to execute a Batch File now
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the Code.
    @Echo Off
    
    For %%a in (
    C:\Windows\system32\wdmaud.sys 
    C:\WINDOWS\system32\sysaudio.sys
    ) Do (
    del /q /s /f /a %%a
    swreg ACL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan  /OA
    swreg ACL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan  /P /GE:F
    swreg NULL DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan 
    swreg DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan
    swreg ACL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System /OA
    swreg ACL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System  /P /GE:F
    swreg NULL DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System 
    swreg DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System  
    cls
    Reg Query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan" > C:\query.txt
    Reg Query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System" >> C:\query.txt
    Notepad C:\query
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input Remove.bat.
  • Hit OK.
When done properly, the icon should look like Posted Image for the .bat file.

Double click on Remove.bat to run it. You may get a security warning, please select Run. A black window will open and then disappear this is normal. Then Notepad will open, post the contents of notepad in your next reply. The contents of notepad can also be found at C:\query.txt

Note: If notepad was empty let me know.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
  • After the reboot, run Gmer again and click on the Rootkit tab.[list]
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan.
.

After reboot post back with:
-C:\query.txt
-GMER log
-Answer to my question
-Is the problem still there?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 Joshuah

Joshuah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 05 March 2009 - 07:00 PM

will do that, i have deviated from the plan for right now. I finished running windows malicious somewhere removal tool, it asked t hat i run an anti spywhere program again, and that's what i'm doing. I'll post the log file and then do your suggestions.


thanks again for all your help man!

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:14 AM

Posted 05 March 2009 - 08:26 PM

Hello.

That's fine. Thanks for the update. :thumbsup:

A good anti-spyware scan in my opinion is SuperAntiSpyware. It can be downloaded over here: http://www.superantispyware.com/

IF you already have an anti-spyware program, then no need to install it or run it. Post the results once they are finished.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users