Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan/Spyware/ Exploit-xmlhttp.D.Gen/ Moved


  • Please log in to reply
12 replies to this topic

#1 richbrandi

richbrandi

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:40 PM

Posted 18 March 2009 - 04:58 PM

I have a Dell Demension 5150 running Windows XP

I was infected with some virus that set off some McAfee/Windows alerts telling me a trojan virus was infecting the machine and changed my wallpaper to a red/blue/yellow graphic pattern.

I immediately updated Malware and scanned PC. The various scans are below in time sequence. As you can see the stuff gets taken care of but then starts reappearing. The wallpaper has now changed to a solid blue field but, when I reboot several boxes pop up some say (TASKMG - A call to an OS function failed) or (ALG - A call to an OS function failed) then my printer sends a warning it can not find the printer.

Now when I try to get on the internet it is very slow. Also every once in a while a McAfee popup says Exploit-xmlhttp.D.Gen has been blocked.

What else can I do?

Thanks for any help!!!






Malwarebytes' Anti-Malware 1.33
Database version: 1730
Windows 5.1.2600 Service Pack 3

3/17/2009 8:55:47 PM
mbam-log-2009-03-17 (20-55-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 203271
Time elapsed: 3 hour(s), 25 minute(s), 6 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 22
Registry Data Items Infected: 9
Folders Infected: 1
Files Infected: 52

Memory Processes Infected:
C:\WINDOWS\Temp\5_odb.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\Documents and Settings\Brandi\Local Settings\Temp\wndutl32.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{020487cc-fc04-4b1e-863f-d9801796230b} (Trojan.FakeAlert) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amoumain (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{020487cc-fc04-4b1e-863f-d9801796230b} (Trojan.FakeAlert) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ofama (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateWin (Backdoor.Bot) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateWin (Backdoor.Bot) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netx (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vlc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdmon (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netw (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\UpdateWin (Worm.Sdbot) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\UpdateWin (Worm.Sdbot) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\UpdateWin (Worm.Sdbot) -> Delete on reboot.
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\odby (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\ntos.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\ntos.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\ntos.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Delete on reboot.

Files Infected:
C:\WINDOWS\amoumain.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brandi\Local Settings\Temp\wndutl32.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wsnpoem\video.dll.cla (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\svc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Ktifefayoqeviwec.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\ctfmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brandi\Local Settings\Temp\1_dropper_286962.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brandi\Local Settings\Temp\5_odb.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Brandi\Local Settings\Temp\6_ldr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brandi\Local Settings\Temp\60325cahp25ca0.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brandi\Local Settings\Temp\60325cahp25caa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brandi\Local Settings\Temp\q1.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Brandi\Local Settings\Temp\q2.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Brandi\Local Settings\Temp\q3.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Brandi\Local Settings\Temp\q4.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Brandi\Local Settings\Temp\q5.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Brandi\Local Settings\Temp\q6.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Brandi\Local Settings\Temp\q7.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Brandi\Local Settings\Temp\q8.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Brandi\Local Settings\Temp\q9.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Brandi\Local Settings\Temp\teste1_p.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Brandi\Local Settings\Temp\teste2_p.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brandi\Local Settings\Temp\teste3_p.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Brandi\Local Settings\Temp\teste4_p.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Brandi\Local Settings\Temp\avto.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brandi\Local Settings\Temp\avto1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brandi\Local Settings\Temp\avto2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brandi\Local Settings\Temp\avto3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brandi\Local Settings\Temp\avto4.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\12520437l.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\svx.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\vlc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\wdmon.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\svw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\odb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntos.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\Temp\5_odb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\teste1_p.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\teste2_p.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\teste3_p.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\teste4_p.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\avto.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\avto1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\avto2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\avto3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\avto4.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brandi\Application Data\config.cfg (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brandi\Application Data\~tmp.html (Malware.Trace) -> Quarantined and deleted successfully.

*************************************************
Malwarebytes' Anti-Malware 1.34
Database version: 1861
Windows 5.1.2600 Service Pack 3

3/17/2009 9:34:16 PM
mbam-log-2009-03-17 (21-34-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 97245
Time elapsed: 32 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

************************************************************

********Malwarebytes' Anti-Malware 1.34
Database version: 1861
Windows 5.1.2600 Service Pack 3

3/18/2009 7:24:24 AM
mbam-log-2009-03-18 (07-24-24).txt

Scan type: Full Scan (C:\|)
Objects scanned: 218933
Time elapsed: 1 hour(s), 8 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sms (Worm.P2P) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\sms.exe (Worm.P2P) -> Quarantined and deleted successfully.
C:\WINDOWS\tmp0446142.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\tmp5671095.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\tmp5919793.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\tmp5935276.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\tmp6218598.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\tmp6267382.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\tmp8882820.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\lastninja.zip (Worm.Archive) -> Quarantined and deleted successfully.
***************************************
Malwarebytes' Anti-Malware 1.34
Database version: 1863
Windows 5.1.2600 Service Pack 3

3/18/2009 5:08:52 PM
mbam-log-2009-03-18 (17-08-52).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 232032
Time elapsed: 1 hour(s), 7 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

********************************************************

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:40 PM

Posted 18 March 2009 - 05:09 PM

I am moving this topic from the Windows XP forum to the Am I Infected forum. ~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:40 PM

Posted 18 March 2009 - 07:42 PM

Hello plaese run ATF and SAS next. How is it running now.

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 richbrandi

richbrandi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:40 PM

Posted 19 March 2009 - 05:33 PM

Done. ****** Log follows

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/19/2009 at 02:08 PM

Application Version : 4.25.1014

Core Rules Database Version : 3804
Trace Rules Database Version: 1759

Scan type : Complete Scan
Total Scan Time : 02:50:00

Memory items scanned : 268
Memory threats detected : 0
Registry items scanned : 6950
Registry threats detected : 0
File items scanned : 140816
File threats detected : 1

Rogue.XP AntiSpyware2009-Trace
C:\Documents and Settings\Brandi\Desktop\delself.bat

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:40 PM

Posted 19 March 2009 - 07:55 PM

Hi, so how is it running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 richbrandi

richbrandi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:40 PM

Posted 20 March 2009 - 10:19 AM

I am still getting McAfee Trojan alert

It happens after full bootup - I have also heard ads/musice over speakers with out going on internet.

When I go on Internet McAfee Trojan alert periodically pops up.

When I close internet, a scrpit error box is usually there from a different URL then where I was asking if I want to continue.

The Mcaffe warning dissappears quickly but it mainly says:

Trojan quarantined detected exploit-xmlhttp.D.Gen and it has been blocked.

What else can I do?

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:40 PM

Posted 20 March 2009 - 10:32 AM

hi, run Dr Web next .. let me know about that pest.
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 richbrandi

richbrandi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:40 PM

Posted 20 March 2009 - 10:34 PM

Done Log follows:
****************************************************
alg.exe;c:\windows;Trojan.PWS.Banker.27842;Deleted.;
servicelayer.exe;c:\windows;Trojan.PWS.Banker.27841;Deleted.;
taskmg.exe;c:\windows;Trojan.PWS.Banker.27831;Deleted.;
ComboFix[1].exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Brandi\Local Settings\Temporary Internet Files\Content.IE5\B52RAO57\ComboFix[1].exe/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\Brandi\Local Settings\Temporary Internet Files\Content.IE5\B52RAO57;Archive contains infected objects;;
ComboFix[1].exe;C:\Documents and Settings\Brandi\Local Settings\Temporary Internet Files\Content.IE5\B52RAO57;Container contains infected objects;Moved.;
ComboFix[2].exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Brandi\Local Settings\Temporary Internet Files\Content.IE5\B52RAO57\ComboFix[2].exe/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\Brandi\Local Settings\Temporary Internet Files\Content.IE5\B52RAO57;Archive contains infected objects;;
ComboFix[2].exe;C:\Documents and Settings\Brandi\Local Settings\Temporary Internet Files\Content.IE5\B52RAO57;Container contains infected objects;Moved.;
Faith Hill - Sunshine And Summertime.mp3;C:\Documents and Settings\Brandi\My Documents\LimeWire\Saved\Cindy A-L;Trojan.WMALoader;Cured.;
Toby Keith - God Love Her.mp3;C:\Documents and Settings\Brandi\My Documents\LimeWire\Saved\Cindy M-Z;Trojan.WMALoader;Cured.;
dlccppx.dl_;C:\drivers\printer\924\drivers\Win_XP2K\x64;Modification of Linux.Diesel.969;Moved.;
delfolder.exe;C:\Program Files\DellSupport\GTCoach;Trojan.MulDrop.30652;Deleted.;
delfolder.exe;C:\Program Files\WebCyberCoach\b_Dell;Trojan.MulDrop.30652;Deleted.;
A0092863.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1196;Trojan.PWS.Banker.27831;Deleted.;
A0093127.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1199;Trojan.PWS.Banker.27842;Deleted.;
A0093128.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1199;Trojan.PWS.Banker.27841;Deleted.;
A0093129.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1199;Trojan.PWS.Banker.27831;Deleted.;
A0093130.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1199;Trojan.MulDrop.30652;Deleted.;
A0093131.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1199;Trojan.MulDrop.30652;Deleted.;

I am not getting the McAfee warning now. :thumbsup:

Was this virus sending information out from my PC? Should I take any other precautions (i.e, change passwords for websites, email, etc.)? Why was McAfee able to detect but not stop it?

Thanks for all your help!!!!!

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:40 PM

Posted 20 March 2009 - 11:18 PM

Hello. well we have found PWS-Banker. http://vil.nai.com/vil/content/v_131326.htm
Characteristics -

This detection is for a trojan intended to harvest online banking credentials of victims. The trojan is South American (Brazilian?) in origin.

Once running on the victim machine, the trojan monitors the title bars of any windows active on that machine. When any containing specific strings (banking related) are opened, a series of fake online banking login images are displayed in order to entice the user to enter their credentials.

Rather than purely logging keystrokes, this trojan actually mimics a method used by some banks for security, and is capable of harvesting the credentials when the user clicks their PIN onto the displayed image(s):
**************
That said I would like to tell you this:

backdoor Trojan can allow an attacker to
gain control of the system, log keystrokes, steal passwords, access personal
data, send malevolent outgoing traffic, and close the security warning
messages displayed by some anti-virus and security programs.

I would advise you to disconnect this PC from the Internet, and then go to
a known clean computer and change any passwords or security information held
on the infected computer. In particular, check whatever relates to online
banking financial transactions, shopping, credit cards, or sensitive
personal information. It is also wise to contact your financial institutions
to apprise them of your situation.

We will do our best to clean the computer of any infections seen on the log.
However, because of the nature of this Trojan, I cannot offer a total
guarantee that there are no remnants left in the system, or that the
computer will be trustworthy.

Many security experts believe that once infected with this type of Trojan,
the best course of action is to reformat and reinstall the Operating System.
Making this decision is based on what the computer is used for, and what
information can be accessed from it.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 richbrandi

richbrandi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:40 PM

Posted 21 March 2009 - 02:55 PM

Unfortunately this is our main computer at home and is used for banking email and the like.

It is on a home network and I have been using the second computer to go on the internet to fix the main one.

The second PC has shown no signs of an issue. Should I go through the same steps to ensure nothing is going on with this one also?

Thanks.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:40 PM

Posted 21 March 2009 - 07:35 PM

Yes you should check for updates and run MBAM, ATF and SAS on the other drive. post the logs for review if you like.

On reformatting the other, it's the choice I'd have made.
Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.
==============================
2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 richbrandi

richbrandi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:40 PM

Posted 23 March 2009 - 06:22 AM

Thanks for all your help!

I am in process of gathering items I need to wipe and restore computer 1.

I went through second PC with same steps logs follow.

*********************************************
Malwarebytes' Anti-Malware 1.34
Database version: 1868
Windows 5.1.2600 Service Pack 3

3/19/2009 12:22:01 PM
mbam-log-2009-03-19 (12-22-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 120499
Time elapsed: 53 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Second Run ***********************************
Malwarebytes' Anti-Malware 1.34
Database version: 1882
Windows 5.1.2600 Service Pack 3

3/21/2009 7:36:24 PM
mbam-log-2009-03-21 (19-36-24).txt

Scan type: Full Scan (C:\|)
Objects scanned: 104279
Time elapsed: 1 hour(s), 8 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
*************************************
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/21/2009 at 09:38 PM

Application Version : 4.25.1014

Core Rules Database Version : 3808
Trace Rules Database Version: 1763

Scan type : Complete Scan
Total Scan Time : 01:44:41

Memory items scanned : 236
Memory threats detected : 0
Registry items scanned : 3992
Registry threats detected : 0
File items scanned : 42916
File threats detected : 3

Adware.Tracking Cookie
C:\Documents and Settings\Raccon1\Cookies\raccon1@atdmt[1].txt
C:\Documents and Settings\Raccon1\Cookies\raccon1@doubleclick[1].txt

Trace.Known Threat Sources
C:\Documents and Settings\Raccon1\Local Settings\Temporary Internet Files\Content.IE5\W9MV0LIZ\virusremover2009[1].jpg


***************************************
I also ran Dr.Webcureit and it said nothing was found.

Is This machine OK or should I consider wipe on this one also?

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:40 PM

Posted 23 March 2009 - 09:55 AM

Yes these are Ok . It's the main that carried the serious stuff.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users