Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help please


  • Please log in to reply
19 replies to this topic

#1 boosturrr

boosturrr

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 07 March 2009 - 06:36 AM

at first my ipod was infected by "NUDE SEX SCANDAL.vbs"
then when i plugged it in the computer, i can't access task manager and my hidden files that were initially shown can't be accessed, also my folder options. please help. thank you.

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:56 PM

Posted 07 March 2009 - 05:42 PM

Hello.

Run MBAM and then run the tool following to fix task manager and any other restrictions.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Download and Run RRT

RRT, the Remove Restrictions tool can be used to enable the Task Manager, Regedit, and Folder Options.
  • Please download RTT.exe from here, here, or here and save it to your desktop.
  • Double click RRT.exe to run it.
  • If you get a security warning, please allow it to continue/run.
  • Select Enable All.
  • You will get a message saying it was Done re-enabling.
  • Click Ok
  • Close the program and Restart your Computer please
With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 boosturrr

boosturrr
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 07 March 2009 - 10:19 PM

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

3/8/2009 9:07:46 AM
mbam-log-2009-03-08 (09-07-46).txt

Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 184703
Time elapsed: 1 hour(s), 1 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{cf46bfb3-2acc-441b-b82b-36b9562c7ff1} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e9bd0828-1fd9-410c-a50f-43ebe65d310f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ce0487ca-8b02-431e-ba63-d38844e020b5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8b27cc68-110c-46a9-80d3-f3107de6eb98} (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (regedit.exe"%1" %*) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
D:\Games\Ranch Rush\ijl15.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mywehit.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mywehit.ini.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\BMefe76339.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,739 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:56 PM

Posted 07 March 2009 - 10:49 PM

Please Rerun MBAM like this

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 boosturrr

boosturrr
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 07 March 2009 - 11:15 PM

Malwarebytes' Anti-Malware 1.34
Database version: 1826
Windows 5.1.2600 Service Pack 2

3/8/2009 12:14:55 PM
mbam-log-2009-03-08 (12-14-55).txt

Scan type: Quick Scan
Objects scanned: 81405
Time elapsed: 11 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Bind (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,739 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:56 PM

Posted 07 March 2009 - 11:34 PM

How is it running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 boosturrr

boosturrr
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 07 March 2009 - 11:49 PM

i stil cant log in as administrator. im logged as TQ/username

Edited by boosturrr, 07 March 2009 - 11:49 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,739 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:56 PM

Posted 08 March 2009 - 12:29 AM

See if this helps
http://www.microsoft.com/windowsxp/using/s...minaccount.mspx
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 boosturrr

boosturrr
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 08 March 2009 - 12:38 AM

unfortunately, it didn't help. and i still cant access my task manager. although, i can see my hidden folders and my folder options now.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:56 PM

Posted 08 March 2009 - 11:08 AM

Hello.

This seems like another of those sowar.vbs infections related.. Please perform the following scans. If they don't remove or heal the registry keys related to the restrictions then we will do something else next post :thumbsup:

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
  • After the reboot, run Gmer again and click on the Rootkit tab.
    • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
    • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
    • Click on the Scan and wait for the scan to finish.
      Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
    • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
    If GMER doesn't work in Normal Mode try running it in Safe Mode

    Important!:Please do not select the Show all checkbox during the scan..

    Download and Run SUPERAntiSpyware
    We will run a scan with SuperAntiSpyware.
    • Download SUPERAntiSpyware to your desktop.
    • Double-click SUPERAntiSpyware.exe and use the default settings for installation. Delete the installer after use.
    • An icon will be created on your desktop. Double-click that icon to launch the program.
    • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates".
      If you encounter any problems while downloading the updates, manually download and unzip them from here.
    • Under "Configuration and Preferences", click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked (leave all others unchecked):[list]
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under Scan for Harmful Software, click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive (or whatever drive your system is installed on).
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
  • Make sure everything has a checkmark next to it and click Next.
  • A notification will appear saying that "Quarantine and Removal is Complete". Click OK and then click the Finish button to return to the main menu.
  • If asked if you want to reboot, click Yes.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Post back with:
-GMER log
-SAS log


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 boosturrr

boosturrr
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 08 March 2009 - 10:37 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/09/2009 at 09:56 AM

Application Version : 4.25.1014

Core Rules Database Version : 3788
Trace Rules Database Version: 1745

Scan type : Complete Scan
Total Scan Time : 01:16:31

Memory items scanned : 386
Memory threats detected : 0
Registry items scanned : 6784
Registry threats detected : 23
File items scanned : 21583
File threats detected : 2

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}
HKCR\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}
HKCR\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}
HKCR\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}\InprocServer32
HKCR\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}\InprocServer32#ThreadingModel
HKCR\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}\ProgID
HKCR\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}\Programmable
HKCR\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}\TypeLib
HKCR\CLSID\{F4F10C1D-87C7-404A-B4B3-000000000000}\VersionIndependentProgID
HKCR\SearchHook.SrchHook.1
HKCR\SearchHook.SrchHook
HKCR\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}
HKCR\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}\1.0
HKCR\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}\1.0\0
HKCR\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}\1.0\0\win32
HKCR\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}\1.0\FLAGS
HKCR\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}\1.0\HELPDIR
C:\PROGRA~1\DAP\SBSEARCH.DLL
HKU\S-1-5-21-527237240-1897051121-682003330-1003\Software\Microsoft\Internet Explorer\URLSearchHooks#{F4F10C1D-87C7-404A-B4B3-000000000000}
HKCR\Interface\{02FE50FA-9953-4B3E-98B1-0F1AF2577660}
HKCR\Interface\{02FE50FA-9953-4B3E-98B1-0F1AF2577660}\ProxyStubClsid
HKCR\Interface\{02FE50FA-9953-4B3E-98B1-0F1AF2577660}\ProxyStubClsid32
HKCR\Interface\{02FE50FA-9953-4B3E-98B1-0F1AF2577660}\TypeLib
HKCR\Interface\{02FE50FA-9953-4B3E-98B1-0F1AF2577660}\TypeLib#Version

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WNSTSSV.EXE.VIR

#12 boosturrr

boosturrr
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 09 March 2009 - 12:05 AM

i can't seem to copy the gmer log, is it okay if i hosted it in an online file storage bank?

the link is: http://www.zshare.net/download/5675536414b92465/

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:56 PM

Posted 09 March 2009 - 03:11 PM

Hello.

I'm downloading the GMER log right now. It's a HUGE file (15MB).. I'm glad you didn't post it.. :thumbsup:

It seems you ran Combofix before, those problems you had, (task manager not working etc...) is it still there? Can you access them now?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 boosturrr

boosturrr
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 09 March 2009 - 06:54 PM

yes, i can access the task manager already. but it seems that i'm still logged on as TQ/username. I was wondering if its part of the virus? because when my computer wasn't infected i was logged on as administrator/username...

again thank you so much.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:56 PM

Posted 09 March 2009 - 07:10 PM

Hello.

I can't really be sure on that. I haven't seen vundo infections creating new user profiles and forcing you to log on that certain account though.

Was that profile account you created or was it not there at all? Also, can you no longer access the other account you are talking about?

Run an online scan and see if anything else gets picked up.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users