Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help me (unknown malware)


  • Please log in to reply
14 replies to this topic

#1 PurduePharmDGuy

PurduePharmDGuy

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 07 March 2009 - 10:34 PM

I have spent the entire day trying to get rid of some malware on my system. I've used Ad Aware, Combofix, malwarebytes anti-malware, and super anti spyware. Super anti spyware deleted several trojans and adware and one of the other programs deleted a rootkit. I know I can reformat but I have over 100gigs of important data that would be too difficult to backup and restore. Here are my symptoms:

In firefox google and yahoo search results redirect to other websites, several of which promote anti virus software. With metacrawler the results aren't displayed in firefox. Also IE loads but no images display and it barely functions. I'm sorry that this is very basic info but I'm not very good with computers and I'm about to cry :thumbsup:

I'm running windows xp media center edition

What's the first step I should take? PLEASE HELP ME Thank You for your time.

Edited by PurduePharmDGuy, 07 March 2009 - 10:38 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:45 AM

Posted 07 March 2009 - 10:39 PM

Hello, please run part 1 of Smitfraudfix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 PurduePharmDGuy

PurduePharmDGuy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 07 March 2009 - 10:49 PM

When I click on Smitfraudfix.exe it made a folder on my desktop but it didn't run. Thanks for the fast reply btw

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:45 AM

Posted 07 March 2009 - 10:54 PM

If the tool fails to launch from the Desktop, please move smitfraudFix.exe to the root of the system drive (usually C:\), and run it from there.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 PurduePharmDGuy

PurduePharmDGuy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 07 March 2009 - 10:58 PM

I moved it to the C: like you said and it still doesn't run. I don't know if this is relevant but about a month ago I removed Vundo and things went back to normal with no signs of infection.

#6 PurduePharmDGuy

PurduePharmDGuy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 07 March 2009 - 11:06 PM

It worked in safe mode with networking, here's the result:


SmitFraudFix v2.400

Scan done at 22:04:05.10, Sat 03/07/2009
Run from C:\Documents and Settings\Bobby\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\Bobby


C:\DOCUME~1\Bobby\LOCALS~1\Temp


C:\Documents and Settings\Bobby\Application Data


Start Menu


C:\DOCUME~1\Bobby\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="wbsys.dll avgrsstx.dll"


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 172.16.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{E864BE63-4608-46B1-9791-86A1F3906E7C}: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E864BE63-4608-46B1-9791-86A1F3906E7C}: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E864BE63-4608-46B1-9791-86A1F3906E7C}: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=172.16.0.1


Scanning for wininet.dll infection


End

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:45 AM

Posted 07 March 2009 - 11:12 PM

Mbam had come back all clean when you ran it?

Run the Cleaner Part 2
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 PurduePharmDGuy

PurduePharmDGuy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 07 March 2009 - 11:15 PM

I'm gonna rescan with MBAM and I'll also do the #2 thing.

#9 PurduePharmDGuy

PurduePharmDGuy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 07 March 2009 - 11:20 PM

Here's the #2, I will rescan will MBAM and post next.

SmitFraudFix v2.400

Scan done at 22:15:24.50, Sat 03/07/2009
Run from C:\Documents and Settings\Bobby\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
...

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 172.16.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{E864BE63-4608-46B1-9791-86A1F3906E7C}: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E864BE63-4608-46B1-9791-86A1F3906E7C}: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E864BE63-4608-46B1-9791-86A1F3906E7C}: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=172.16.0.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#10 PurduePharmDGuy

PurduePharmDGuy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 08 March 2009 - 12:01 AM

And finally....MBAM found Rootkit.agent

Also I'm sure you noticed, but what's up with the hosts in my previous log post?

Here's the log:
Malwarebytes' Anti-Malware 1.34
Database version: 1826
Windows 5.1.2600 Service Pack 1

3/7/2009 10:59:34 PM
mbam-log-2009-03-07 (22-59-34).txt

Scan type: Full Scan (C:\|)
Objects scanned: 248691
Time elapsed: 36 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{F897B3F1-9686-413F-99E3-012ED7F32F63}\RP1\A0001163.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:45 AM

Posted 08 March 2009 - 12:23 AM

Yes that the rootkit and maware sending things off your computer. They may be sending personal info out such as financials. Do you do banking and such on here? I was waing to see if it found a kit. We shoul;d run SDFix and MBAM again. I'll look back in the morning.

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.


Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 PurduePharmDGuy

PurduePharmDGuy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 08 March 2009 - 12:49 AM

When I try to run the bat file from SDfix in safe mode as soon as I hit run it brings up that prompt explaining what safe mode is and it gives me the option to use safe mode or system restore, but sdfix doesn't run. I'm going to bed now so I'll set MBAM to scan and I'll post the log either later if I get up at night or in the morning. Thanks for the help so far, I really appreciate it :thumbsup:

#13 PurduePharmDGuy

PurduePharmDGuy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 08 March 2009 - 09:52 AM

Here's the MBAM log:

Malwarebytes' Anti-Malware 1.34
Database version: 1826
Windows 5.1.2600 Service Pack 1

3/8/2009 8:50:36 AM
mbam-log-2009-03-08 (08-50-36).txt

Scan type: Full Scan (C:\|H:\|)
Objects scanned: 249933
Time elapsed: 52 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


How do I fix the hosts back to normal?

#14 PurduePharmDGuy

PurduePharmDGuy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 08 March 2009 - 12:05 PM

Sorry for 3 posts in a row but there's a new problem. I ran ad aware and it found 10 new threats (win32.trojan.spy) so I had them removed. After I did that the bar on the bottom (with start and the tabs for running programs, you know what I mean) disappeared so I did a reboot into safe mode to rescan. Now my computer is stuck on the "windows is starting up" screen.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:45 AM

Posted 08 March 2009 - 01:05 PM

Can you reboot into Safe Mode: Then choose Last Known Good Configuration.
How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Then if you can get to the internet run HJT.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users