Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Koobface - MBAM reports multiple infections


  • This topic is locked This topic is locked
6 replies to this topic

#1 Help_Me_Plz

Help_Me_Plz

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 08 May 2009 - 04:15 AM

I'm running Windows XP sp3 and I've had a malware infection(s) that I've known about for a couple of days and it's proving very difficult to get rid of. It sends messages out to people on my friends list on facebook offering porn in attempt to infect them also and changes the passowrd for my account, this has happened for the past two days at around 3.30PM GMT.

other strange things my computer has been doing :

Pops up a message "Warning!!! Your computer contains various signs of viruses and malware programs presence. Your system requires immediate anti viruses check! Systems Security will perform a quick an free scanning of your PC for viruses and maliious programs." Avast calls the prgram that does this "FakeAV-V [trj]" and it apparently originates in "Temporary Internet Files", Malware Bytes AntiMalware doesn't even pick it up as existing at all. Unfortunately Avast seems incapable of deleting it or quaranting it.

proxy server settings in IE have been altered, pointing my browser to more malware when I search for information on how to remove it, I have to keep unchecking the box in the settings so that I can use IE at all

it also tries to download a "setup.exe" from www.sex.xxx.com (that might not be the exact URL)

I've tried running updates for MalwareBytesAM, AVAST and TrendMicroAV and then running them but they are clearly not getting to the root of the problem because it keeps coming back



Thanks for reading, any help would be appreciated
Sam

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 08 May 2009 - 08:04 PM

Hello.

I would like to see the Malwarebytes, AVAST and TrendMicroAV log please.

Also, you should not have more than 1 anti-virus software installed. I suggest you remove Avast or TrendMicroAV now.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Help_Me_Plz

Help_Me_Plz
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 09 May 2009 - 09:49 AM

Thanks.

I'm not really sure if I'm providing you with what you need here in terms of logs because I've never used these programs before, I only downloaded them in the past couple of days in attempt to get rid of this infection so if there's other information I could get out of them that would help I will need some instructions on how to get it.

Here we go ....

This is what I could find in the logs of Trend Micro AV:
=========================================================================================================
"Virus Scan Logs" "May 08, 2009" "LOWMEM"
"Time" "Detected by" "Source Type" "Threat Name" "Infected File" "First Action" "Second Action"
"00:16" "Web Threat Monitor" "Web" "PAK_Generic.001" " ""http://aksajans.com/1/fb.42.exe""" "Cleaned Fail" "Deleted Successfully"
"00:16" "Web Threat Monitor" "Web" "PAK_Generic.001" " ""http://aksajans.com/1/fb.42.exe""" "Cleaned Fail" "Deleted Successfully"
"00:16" "File Monitor" "File" "PAK_Generic.001" "C:\Documents and Settings\yes\Local Settings\Temporary Internet Files\Content.IE5\H2C7ZNQM\fb.42[1].exe" "Quarantined Successfully" ""
"00:16" "Web Threat Monitor" "Web" "PAK_Generic.001" " ""http://aksajans.com/1/ms.18.exe""" "Cleaned Fail" "Deleted Successfully"
"00:16" "Web Threat Monitor" "Web" "PAK_Generic.001" " ""http://aksajans.com/1/ms.18.exe""" "Cleaned Fail" "Deleted Successfully"
"00:16" "File Monitor" "File" "PAK_Generic.001" "C:\Documents and Settings\yes\Local Settings\Temporary Internet Files\Content.IE5\5WO5VWXC\ms.18[1].exe" "Quarantined Successfully" ""
"04:05" "Web Threat Monitor" "Web" "TROJ_DROPPER.APJ" " ""http://aksajans.com/1/6244.exe""" "Cleaned Fail" "Deleted Successfully"
"04:05" "Web Threat Monitor" "Web" "TROJ_DROPPER.APJ" " ""http://aksajans.com/1/6244.exe""" "Cleaned Fail" "Deleted Successfully"
"04:05" "Web Threat Monitor" "Web" "PAK_Generic.001" " ""http://aksajans.com/1/nfr.exe""" "Cleaned Fail" "Deleted Successfully"
"04:05" "Web Threat Monitor" "Web" "PAK_Generic.001" " ""http://aksajans.com/1/nfr.exe""" "Cleaned Fail" "Deleted Successfully"
"04:05" "Web Threat Monitor" "Web" "PAK_Generic.001" " ""http://aksajans.com/1/pp.06.exe""" "Cleaned Fail" "Deleted Successfully"
"04:05" "Web Threat Monitor" "Web" "PAK_Generic.001" " ""http://aksajans.com/1/pp.06.exe""" "Cleaned Fail" "Deleted Successfully"
"04:06" "File Monitor" "File" "PAK_Generic.001" "C:\Documents and Settings\yes\Local Settings\Temporary Internet Files\Content.IE5\5WO5VWXC\nfr[1].exe" "Quarantined Successfully" ""
"04:06" "File Monitor" "File" "PAK_Generic.001" "C:\Documents and Settings\yes\Local Settings\Temporary Internet Files\Content.IE5\5WO5VWXC\pp.06[1].exe" "Quarantined Successfully" ""
"04:22" "Web Threat Monitor" "Web" "Cryp_FakeAV-12" " ""http://fresh-xxx-movies.com/promo3/get.php?aid=1451&vname=setup""" "Cleaned Fail" "Deleted Fail"
"04:37" "Web Threat Monitor" "Web" "Cryp_FakeAV-12" " ""http://fresh-xxx-movies.com/promo3/get.php?aid=1451&vname=setup""" "Cleaned Fail" "Deleted Fail"
"04:52" "Web Threat Monitor" "Web" "Cryp_FakeAV-12" " ""http://fresh-xxx-movies.com/promo3/get.php?aid=1451&vname=setup""" "Cleaned Fail" "Deleted Fail"
"04:58" "Web Threat Monitor" "Web" "TROJ_DROPPER.APJ" " ""http://aksajans.com/1/6244.exe""" "Cleaned Fail" "Deleted Successfully"
"04:58" "Web Threat Monitor" "Web" "TROJ_DROPPER.APJ" " ""http://aksajans.com/1/6244.exe""" "Cleaned Fail" "Deleted Successfully"
"04:58" "Web Threat Monitor" "Web" "PAK_Generic.001" " ""http://aksajans.com/1/nfr.exe""" "Cleaned Fail" "Deleted Successfully"
"04:58" "Web Threat Monitor" "Web" "PAK_Generic.001" " ""http://aksajans.com/1/nfr.exe""" "Cleaned Fail" "Deleted Successfully"
"04:58" "File Monitor" "File" "PAK_Generic.001" "C:\Documents and Settings\yes\Local Settings\Temporary Internet Files\Content.IE5\5WO5VWXC\nfr[1].exe" "Quarantined Successfully" ""
"05:11" "File Monitor" "File" "JS_DLOADER.UGD" "C:\Documents and Settings\yes\Local Settings\Temporary Internet Files\Content.IE5\ZHYLPI1O\destrub[1].js" "Quarantined Fail" ""
"05:11" "File Monitor" "File" "HTML_FAKEAV.AMN" "C:\Documents and Settings\yes\Local Settings\Temporary Internet Files\Content.IE5\5WO5VWXC\mouse_block[1].js" "Quarantined Fail" ""
"07:03" "Web Threat Monitor" "Web" "TROJ_DROPPER.APJ" " ""http://aksajans.com/1/6244.exe""" "Cleaned Fail" "Deleted Successfully"
"07:03" "Web Threat Monitor" "Web" "PAK_Generic.001" " ""http://aksajans.com/1/nfr.exe""" "Cleaned Fail" "Deleted Successfully"
"07:03" "File Monitor" "File" "PAK_Generic.001" "C:\Documents and Settings\yes\Local Settings\Temporary Internet Files\Content.IE5\H2C7ZNQM\nfr[1].exe" "Quarantined Successfully" ""
"08:52" "Web Threat Monitor" "Web" "PAK_Generic.001" " ""http://aksajans.com/1/nfr.exe""" "Cleaned Fail" "Deleted Successfully"
"08:52" "Web Threat Monitor" "Web" "PAK_Generic.001" " ""http://aksajans.com/1/nfr.exe""" "Cleaned Fail" "Deleted Successfully"
"10:53" "Web Threat Monitor" "Web" "PAK_Generic.001" " ""http://aksajans.com/1/fb.42.exe""" "Cleaned Fail" "Deleted Successfully"
"10:53" "Web Threat Monitor" "Web" "PAK_Generic.001" " ""http://aksajans.com/1/ms.18.exe""" "Cleaned Fail" "Deleted Successfully"
==========================================================================================================

And a log from MBAM from a scan I ran right before posting this:

==========================================================================================================
Malwarebytes' Anti-Malware 1.36
Database version: 2090
Windows 5.1.2600 Service Pack 3

09/05/2009 15:24:07
mbam-log-2009-05-09 (15-24-07).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 217830
Time elapsed: 3 hour(s), 19 minute(s), 11 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 17

Memory Processes Infected:
C:\WINDOWS\pp06.exe (Worm.Koobface) -> Unloaded process successfully.
c:\WINDOWS\mstre18.exe (Worm.KoobFace) -> Unloaded process successfully.
C:\WINDOWS\system32\SYS32DLL.exe (Worm.KoobFace) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysfbtray (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmstray (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Worm.Koobface) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYS32DLL (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\796525 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Trend Micro\Internet Security\TmpxTmp\htt16.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\Internet Security\TmpxTmp\htt7D.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\Internet Security\TmpxTmp\httA0.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\_avast4_\unp230326703.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\freddy42.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\msmark2.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2668f44.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2692f44.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2695f44.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\mstre18.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\pp06.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\ld08.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\st_1241772406.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\f5087.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\f23567.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SYS32DLL.exe (Worm.KoobFace) -> Delete on reboot.
=======================================================================================================

The thing is I have run it several times now and even flagging the file for deletion on startup has not get rid of the malicious files so far.



Finally, this is from the logs from AVAST:

=======================================================================================================
09.05.2009 00:01:14 Network Shield: blocked access to malicious site thesecurityscan.com/js/jquery.js [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 00:01:15 Network Shield: blocked access to malicious site thesecurityscan.com/js/jquery-init.js [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 00:01:15 Network Shield: blocked access to malicious site thesecurityscan.com/js/flist.js [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 00:01:15 Network Shield: blocked access to malicious site thesecurityscan.com/images/page_progressbar.gif [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 00:01:15 Network Shield: blocked access to malicious site thesecurityscan.com/images/i5000000.gif [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 00:01:16 Network Shield: blocked access to malicious site thesecurityscan.com/images/i6000000.gif [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 00:01:16 Network Shield: blocked access to malicious site thesecurityscan.com/images/i7000000.gif [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 00:01:16 Network Shield: blocked access to malicious site thesecurityscan.com/images/i1000000.gif [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 00:01:16 Network Shield: blocked access to malicious site thesecurityscan.com/images/i2000000.gif [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 00:01:16 Network Shield: blocked access to malicious site thesecurityscan.com/images/i3000000.gif [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 00:01:16 Network Shield: blocked access to malicious site thesecurityscan.com/images/i4000000.gif [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 00:01:16 Network Shield: blocked access to malicious site thesecurityscan.com/images/inf20000.gif [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 00:01:16 Network Shield: blocked access to malicious site thesecurityscan.com/images/folder.gif [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 00:01:16 Network Shield: blocked access to malicious site thesecurityscan.com/images/hdd.gif [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 00:01:16 Network Shield: blocked access to malicious site thesecurityscan.com/images/dvd.gif [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 00:01:16 Network Shield: blocked access to malicious site thesecurityscan.com/images/qicon.gif [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 00:01:16 Network Shield: blocked access to malicious site thesecurityscan.com/images/window1.gif [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 00:01:16 Network Shield: blocked access to malicious site thesecurityscan.com/images/box_top_.gif [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 00:01:17 Network Shield: blocked access to malicious site thesecurityscan.com/images/hrline.gif [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 00:01:17 Network Shield: blocked access to malicious site thesecurityscan.com/images/progressbar.gif [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 00:01:17 Network Shield: blocked access to malicious site thesecurityscan.com/images/progressbar_green.gif [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 00:01:30 Network Shield: blocked access to malicious site thesecurityscan.com/favicon.ico [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 00:04:07 Network Shield: blocked access to malicious site fresh-xxx-movies.com/promo3/get.php?aid=1451&vname=setup [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 00:19:04 Network Shield: blocked access to malicious site fresh-xxx-movies.com/promo3/get.php?aid=1451&vname=setup [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 00:49:07 Network Shield: blocked access to malicious site fresh-xxx-movies.com/promo3/get.php?aid=1451&vname=setup [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 01:19:13 Network Shield: blocked access to malicious site fresh-xxx-movies.com/promo3/get.php?aid=1451&vname=setup [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 01:34:11 Network Shield: blocked access to malicious site fresh-xxx-movies.com/promo3/get.php?aid=1451&vname=setup [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 02:04:12 Network Shield: blocked access to malicious site fresh-xxx-movies.com/promo3/get.php?aid=1451&vname=setup [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 02:19:13 Network Shield: blocked access to malicious site fresh-xxx-movies.com/promo3/get.php?aid=1451&vname=setup [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 02:34:38 Network Shield: blocked access to malicious site fresh-xxx-movies.com/promo3/get.php?aid=1451&vname=setup [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 02:49:40 Network Shield: blocked access to malicious site fresh-xxx-movies.com/promo3/get.php?aid=1451&vname=setup [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 03:04:28 Network Shield: blocked access to malicious site fresh-xxx-movies.com/promo3/get.php?aid=1451&vname=setup [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 03:19:29 Network Shield: blocked access to malicious site fresh-xxx-movies.com/promo3/get.php?aid=1451&vname=setup [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 03:34:36 Network Shield: blocked access to malicious site fresh-xxx-movies.com/promo3/get.php?aid=1451&vname=setup [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 03:49:31 Network Shield: blocked access to malicious site fresh-xxx-movies.com/promo3/get.php?aid=1451&vname=setup [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 04:04:32 Network Shield: blocked access to malicious site fresh-xxx-movies.com/promo3/get.php?aid=1451&vname=setup [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 04:19:33 Network Shield: blocked access to malicious site fresh-xxx-movies.com/promo3/get.php?aid=1451&vname=setup [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 04:34:36 Network Shield: blocked access to malicious site fresh-xxx-movies.com/promo3/get.php?aid=1451&vname=setup [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 04:49:54 Network Shield: blocked access to malicious site fresh-xxx-movies.com/promo3/get.php?aid=1451&vname=setup [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 05:05:25 Network Shield: blocked access to malicious site fresh-xxx-movies.com/promo3/get.php?aid=1451&vname=setup [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 980 ) ]
09.05.2009 12:57:15 Network Shield: blocked access to malicious site 85.12.43.127/css/pdf_2.php?new=3&u=i_7_0&cc=?&st=3w21&tm=000012&r=ictyay8nw [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 8016 ) ]

08/05/2009 07:10:41 1241763041 SYSTEM 1836 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\WINDOWS\system32\fos64.dll" file.
08/05/2009 07:14:06 1241763246 yes 3716 Sign of "Win32:Haxdoor-JV [Trj]" has been found in "c:\windows\system32\sorrd.sys" file.
08/05/2009 08:51:03 1241769063 yes 1812 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\yes\Local Settings\Temporary Internet Files\Content.IE5\5WO5VWXC\6244[1].exe" file.
08/05/2009 08:52:13 1241769133 yes 1812 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\st_1241787882.exe" file.
08/05/2009 09:03:13 1241769793 yes 1812 Sign of "JS:FakeAV-W [Trj]" has been found in "http://topscan4.com/?uid=13300" file.
08/05/2009 09:03:13 1241769793 yes 1812 Sign of "JS:FakeAV-W [Trj]" has been found in "http://topscan4.com/script_en.js" file.
08/05/2009 09:03:42 1241769822 yes 1812 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\Documents and Settings\yes\Local Settings\Temporary Internet Files\Content.IE5\H2C7ZNQM\topscan4_com[1].htm" file.
08/05/2009 09:51:04 1241772664 yes 1812 Sign of "JS:FakeAV-V [Trj]" has been found in "http://thesecurityscan.com/js/flist.js" file.
08/05/2009 09:51:14 1241772674 yes 1812 Sign of "JS:FakeAV-V [Trj]" has been found in "C:\Documents and Settings\yes\Local Settings\Temporary Internet Files\Content.IE5\H2C7ZNQM\flist[1].js" file.
08/05/2009 10:18:18 1241774298 yes 1812 Sign of "JS:FakeAV-W [Trj]" has been found in "http://topscan4.com/?uid=13300" file.
08/05/2009 10:18:19 1241774299 yes 1812 Sign of "JS:FakeAV-W [Trj]" has been found in "http://topscan4.com/script_en.js" file.
08/05/2009 10:18:26 1241774306 yes 1812 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\Documents and Settings\yes\Local Settings\Temporary Internet Files\Content.IE5\2KKHVFFE\topscan4_com[1].htm" file.
08/05/2009 12:18:30 1241781510 yes 1812 Sign of "JS:FakeAV-V [Trj]" has been found in "http://thesecurityscan.com/js/flist.js" file.
08/05/2009 12:18:36 1241781516 yes 1812 Sign of "JS:FakeAV-V [Trj]" has been found in "C:\Documents and Settings\yes\Local Settings\Temporary Internet Files\Content.IE5\H2C7ZNQM\flist[1].js" file.
08/05/2009 14:33:35 1241789615 yes 1812 Sign of "JS:FakeAV-W [Trj]" has been found in "http://fanscan4.com/?uid=13300" file.
08/05/2009 14:33:35 1241789615 yes 1812 Sign of "JS:FakeAV-W [Trj]" has been found in "http://fanscan4.com/script_en.js" file.
08/05/2009 14:33:46 1241789626 yes 1812 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\Documents and Settings\yes\Local Settings\Temporary Internet Files\Content.IE5\ZHYLPI1O\fanscan4_com[1].htm" file.
09/05/2009 01:04:14 1241827454 yes 1812 Sign of "JS:FakeAV-W [Trj]" has been found in "http://scan4atom.info/?uid=13300" file.
09/05/2009 01:04:15 1241827455 yes 1812 Sign of "JS:FakeAV-W [Trj]" has been found in "http://scan4atom.info/script_en.js" file.
09/05/2009 01:04:16 1241827456 yes 1812 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\Documents and Settings\yes\Local Settings\Temporary Internet Files\Content.IE5\5WO5VWXC\scan4atom_info[1].htm" file.
09/05/2009 01:49:12 1241830152 yes 1812 Sign of "JS:ScriptIP-inf [Trj]" has been found in "http://218.93.202.50/redirectsoft/popup/" file.
09/05/2009 09:20:39 1241857239 yes 1812 Sign of "JS:FakeAV-W [Trj]" has been found in "http://scan4atom.info/script_en.js" file.
09/05/2009 09:20:39 1241857239 yes 1812 Sign of "JS:FakeAV-W [Trj]" has been found in "http://scan4atom.info/?uid=13300" file.
09/05/2009 09:20:45 1241857245 yes 1812 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\Documents and Settings\yes\Local Settings\Temporary Internet Files\Content.IE5\ZHYLPI1O\scan4atom_info[1].htm" file.
09/05/2009 13:36:30 1241872590 yes 1812 Sign of "JS:ScriptIP-inf [Trj]" has been found in "http://218.93.202.50/redirectsoft/popup/" file.
09/05/2009 14:21:42 1241875302 yes 1812 Sign of "JS:FakeAV-W [Trj]" has been found in "http://scan4mini.info/?uid=13300" file.
09/05/2009 14:51:48 1241877108 yes 1812 Sign of "JS:ScriptIP-inf [Trj]" has been found in "http://218.93.202.50/redirectsoft/popup/" file.

=======================================================================================================

I've found what appears to me to be a very similar problem on this website at :
http://www.bleepingcomputer.com/forums/t/219920/not-sure-what-virus-i-have/
The solution described there involved using progams I'm not at all familiar with and there's a warning against using them unless if specifically advised to so I haven't done anything.
Also, I've since discovered that the time of the day seems to have no effect on when facebook messages are sent out, so ignore that

Thanks again

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 09 May 2009 - 05:30 PM

Hello.

There are sites that your Avast is blocking which is fine and the TrendMicro was mainly the same thing with some temporary internet files as well.

One of them is a backdoor. I suggest you read the following.

Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

If you have any other computers connected to the same network they may also be infected.

If you wish to continue disinfect it would be better if you start another topic in the HJT-Malware Removal forum.

1st Step: Preparation Guide Before Starting a Topic: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
2nd Step: Starting a Topic in the HJT-Malware Removal forum: http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Good Luck!

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Help_Me_Plz

Help_Me_Plz
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 09 May 2009 - 06:39 PM

Thank you again for your time and expertise, I'm going to have to cross my fingers and hope I can sort this before anything like that does happen because I just don't have another computer to use to fix this one :( backing up doesn't seem like an option either because every time I've tried that in the past it's totally wrecked the computer I've been working on or at the very least slowed it down to the point of pointlessness.

The attack hasn't seemed particularly human so far, hopefully all this stuff is just automated.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 09 May 2009 - 06:43 PM

Hello.

I see you started another topic ( http://www.bleepingcomputer.com/forums/t/225755/backdoor-trojan-koobface-troj-dropper-fake-av/ ). I suggest you not use the internet too much at this point.

Someone should get to you within a week (I don't guarantee that). We have over 700 logs that needs response so please be paitent.

This topic will soon be closed.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:21 PM

Posted 09 May 2009 - 07:34 PM

Hello Help_Me_Plz,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/225755/backdoor-trojan-koobface-troj-dropper-fake-av/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users