Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I am infected somehow, don't know where to go from here...


  • Please log in to reply
10 replies to this topic

#1 toothmkr57

toothmkr57

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 10 March 2009 - 09:41 PM

I was cleaning up my hard drive and searching through files seeing what i could delete and what I wanted to keep around, I opened a zip file and all of a sudden my background changed to a black background with a flashing sign that says 'WARNING Dangerous Spyware detected'. A red circle with a white x appeared in my system bar with a message 'Warning security report your computer is Infected! It is recommended to start spyware cleaner tool'. I tried to Ctrl/Alt/Del and it said task manager has been disabled by your administrator (which is me). I deleted the zip file immediately, to try and get rid of it, to no avail, I also emptied the trashcan. I ran Noadware 5.0, it found something labeled severe and removed it. After its removal my desktop went back to normal for about 30-45 seconds and then went back to the black screen. I have the log if you want to view it, I didn't want to attach it without being told to do so. I am currently running malwarebyte's it has yet to find anything. Because of the administrator message I didn't want to restart my computer for fear of it being hijacked by something or another. I am running windows xp, everything is current, I can give more specific info if needed. Please help! Thanks in Advance,
Paul

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:27 AM

Posted 10 March 2009 - 10:07 PM

Would you post that MBAM log?
Chewy

No. Try not. Do... or do not. There is no try.

#3 toothmkr57

toothmkr57
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 10 March 2009 - 10:33 PM

Ok, so the scan just finished. there were some infections that it said it could delete until reboot. Here are both the noadware5.0 log and teh MBAM log, just so you can see everything

MBAM log:

Malwarebytes' Anti-Malware 1.32
Database version: 1616
Windows 5.1.2600 Service Pack 3

3/10/2009 11:27:18 PM
mbam-log-2009-03-10 (23-27-18).txt

Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 253447
Time elapsed: 1 hour(s), 31 minute(s), 28 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 9
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdesoceqo (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jvuqila (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Framework Windows (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Uveqezudanawozav.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\ovewosaf.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Paul Ravenstone\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Paul Ravenstone\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Delete on reboot.


Here's the Noadware5.0 log:

Noadware 5.0---------------------Removing Spyware TotalVelocity zSearch...Removing Registry TotalVelocity zSearch...Removing RegValues TotalVelocity zSearch...Fixing RegValue dataTotalVelocity zSearch...Removing Cookies TotalVelocity zSearch...Removing Files TotalVelocity zSearch...[File Deleting...]C:\Documents and Settings\Paul Ravenstone\Local Settings\Temp\logger.log[File Deleted]C:\Documents and Settings\Paul Ravenstone\Local Settings\Temp\logger.logRemoving Folders TotalVelocity zSearch...Removing Spyware Tracking Cookie...Removing Registry Tracking Cookie...Removing RegValues Tracking Cookie...Fixing RegValue dataTracking Cookie...Removing Cookies Tracking Cookie...[Deleted Cookie]C:\Documents and Settings\Paul Ravenstone\Cookies\paul__ravenstone@zedo[2].txtRemoving Files Tracking Cookie...Removing Folders Tracking Cookie...Removing Spyware TrojanGuarder...Removing Registry TrojanGuarder...[Deleting Key...]Key : HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ptx[Key Deleted]Key : HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ptxRemoving RegValues TrojanGuarder...Fixing RegValue dataTrojanGuarder...Removing Cookies TrojanGuarder...Removing Files TrojanGuarder...Removing Folders TrojanGuarder...Removing Spyware HotBar...Removing Registry HotBar...[Deleting Key...]Key : HKEY_LOCAL_MACHINE\System\currentcontrolset\enum\sw\{03884cb6-e89a-4deb-b69e-8dc621686e6a}[Key Deleted]Key : HKEY_LOCAL_MACHINE\System\currentcontrolset\enum\sw\{03884cb6-e89a-4deb-b69e-8dc621686e6a}[Deleting Key...]Key : HKEY_LOCAL_MACHINE\System\currentcontrolset\enum\sw\{96e080c7-143c-11d1-b40f-00a0c9223196}[Key Deleted]Key : HKEY_LOCAL_MACHINE\System\currentcontrolset\enum\sw\{96e080c7-143c-11d1-b40f-00a0c9223196}Removing RegValues HotBar...Fixing RegValue dataHotBar...Removing Cookies HotBar...Removing Files HotBar...Removing Folders HotBar...



#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:27 AM

Posted 10 March 2009 - 10:45 PM

I would suggest rebooting and running another MBAM quick scan, it found some nasty stuff, we won't know till later how nasty
Chewy

No. Try not. Do... or do not. There is no try.

#5 toothmkr57

toothmkr57
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 10 March 2009 - 10:52 PM

I rebooted, it was caught in a continuous loop loading settings then logging out, saving settings.... over and over. wouldn't load into safe mode, until it shut it off for a minute instead of restarting.... I'm in safe mode now, do you still want me to run MBAM again?

#6 toothmkr57

toothmkr57
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 10 March 2009 - 11:01 PM

ok i am running a new scan, but now i can't log into the internet with the infected computer in safe mode. I am currently on another computer. how can i get the info to you?

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:27 AM

Posted 10 March 2009 - 11:02 PM

Would you try to run DrWebCureit from normal mode, if you can't use normal mode use safe mode

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Chewy

No. Try not. Do... or do not. There is no try.

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:27 AM

Posted 10 March 2009 - 11:05 PM

We are seeing a very bad wave of these very nasty infections, many are incurable, some are curable but only after you get helped by the trained experts in the HJT forum. There could be a long wait.

It's your decision, I would reload if it was me.

Edited by DaChew, 10 March 2009 - 11:06 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#9 toothmkr57

toothmkr57
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 10 March 2009 - 11:19 PM

ok it's not letting me do this. I had to download Dr.Web on another computer and transfer it with a thumb drive to the infected computer. After doing so it did not do anything, so i restarted in safe mode (which is not an simple task), and it brought up a cmd window that disappeared quickly. But it will not let me do anything at this point

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:27 AM

Posted 11 March 2009 - 12:15 AM

See this post by our resident EXPERT, I am fairly sure your infection is much worse than that one.

http://www.bleepingcomputer.com/forums/t/209968/trojan-agent-keeps-coming-back/

We can help you back up your data or post a log in the HJT forum
Chewy

No. Try not. Do... or do not. There is no try.

#11 toothmkr57

toothmkr57
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 11 March 2009 - 05:13 AM

so what should I do now?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users