Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange System - Virus?


  • Please log in to reply
3 replies to this topic

#1 Hoogey Boy

Hoogey Boy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 15 April 2009 - 04:16 PM

Hello all

After finally getting the internet back (i havent been online at home for over 9 months!) I have been noticing some bugs that are appearing. The second day i was online i noticed the program spyware protect 2009 had been installed. It said that i was infected with spyware (I thought this was quite funny :thumbsup: ). Spyware doctor couldnt pick it up so after some googling I quickly found the files and deleted it. Problem solved!

I then noticed some random things happening on my computer:

1) Svchost.exe starts running at 100% when i start up the system. (Im not sure if this is correct but i have 5 svchost.exe running at once in my task mananger)

2) When watching full screen videos or when in a game, it will exit the window. Its like another blank window is opening over the top of the one im viewing, but nothing opens. This also happens when on firefox, explorer, Adobe Reader, etc.

3) Windows firewall starts in the Off mode.

I then downloaded AVG and it found a collection of viruses and trojans. All were deleted apart from about 7 different infected svchost.exe files.

I also downloaded spybot search and destroy and malwarebytes anti-malware but after they have installed they will not open (This is also the same for combofix). They dont even register on the task manager.

It has been a week since I deleted spyware protect 2009 and today it was back on my system. Problem 1, has stopped (apart frm the many svchost processes) , but 2) and 3) are remaining.

Any suggestions to get Anti-Malware and search and destroy working?

Thank you advance

Chris

Edit - Woops, im using windows XP!

Edited by Hoogey Boy, 15 April 2009 - 04:20 PM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:30 AM

Posted 15 April 2009 - 04:37 PM

Try this with MBAM

Try renaming the setup file to install.com

try installing in safe mode

here's a random renamer for the program if you can get it installed

http://kixhelp.com/wr/files/mb/randmbam.exe
Chewy

No. Try not. Do... or do not. There is no try.

#3 Hoogey Boy

Hoogey Boy
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 15 April 2009 - 05:11 PM

Thank you very much, worked a treat!

Heres the log:

--------------------

Malwarebytes' Anti-Malware 1.36
Database version: 1954
Windows 5.1.2600 Service Pack 3

15/04/2009 22:48:24
mbam-log-2009-04-15 (22-48-24).txt

Scan type: Quick Scan
Objects scanned: 75825
Time elapsed: 3 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 6
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svcho (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.Data) -> Delete on reboot.

Files Infected:
C:\Program Files\MySearch\bar\History\search (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.Data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.Data) -> Delete on reboot.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\iehelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

-----------------------

Two more scans showed all clean. Anything i should do next to confirm im all good?

Thank you again

Chris

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:30 AM

Posted 15 April 2009 - 05:58 PM

This is a very nasty infection

http://rootrepeal.googlepages.com/

http://rootrepeal.googlepages.com/RootRepeal.zip

Just use the file tab, scan and paste the report into a reply here please
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users