Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection problems


  • This topic is locked This topic is locked
15 replies to this topic

#1 CCS Family

CCS Family

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 05 June 2009 - 11:23 PM

Hi,

The computer we use is a Dell, with Windows XP. I have been getting popups from Security Center that say there is spyware, trojans, password stealer, etc. I've tried to find programs to remove them, but all have failed me with mandatory registering or not functioning upon installation. I'm looking for a FREE way to fix my problems, and hopefully in a short amount of time. Any help will be greatly appreciated.

I've installed the following (with no success in removal):
-Ad-Aware
-NoAdware5
-Trojan Slayer
-Claimwin
-WinBlueSoft
-AVG free

Affects of infection:

-Redirected links through google.com
-Unable to open local disc C: by double clicking icon in My Computer. (I am able to reach it by typing C: in address bar)
"Windows cannot find 'RECYCLER\S-7-3-76...."

As far as I know these are the only affects we have seen. This infection has just started however, and we are unsure of how it exactly happened. We believe it may have occurred through a torrent used by someone else on our computer.

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,309 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:01 AM

Posted 06 June 2009 - 11:13 AM

Hello CCS Family, and :thumbsup: to BleepingComputer.

Sadly, the WinBlueSoft program you ran, thinking it was an antivirus-program, is in reality a rogue program, that tells you your computer is infected when it is not, with the goal to convince you to pay for their product.

To see if we can remove this and the other possible infections you have, please do the following.

Please run MBAM (MalwareBytes Antimalware):

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 CCS Family

CCS Family
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 06 June 2009 - 06:40 PM

Alright, thanks for replying to my problem.

Well, I just downloaded MBAM, went through the installation process as you directed, and clicked FINISH for it to update and launch MBAM, however, when I do this, nothing happens. Also, I tried to double click the program and still nothing happens. I've uninstalled and re-installed the program, with the same results. Also, I've renamed the .exe files in case the virus stopped it from working due to the name.

*Also, I have checked for other security programs, but all we have (to my knowledge) is ClaimWin, which I disabled.

Edited by CCS Family, 06 June 2009 - 08:58 PM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,309 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:01 AM

Posted 07 June 2009 - 02:12 AM

Hello CSS Family,

First of all, in your first post you mention using torrents. Please note the following
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall any p2p-programs you have installed on your computer, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 CCS Family

CCS Family
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 07 June 2009 - 08:06 PM

We'll be sure not to use any torrents on our computer anymore! And I've already taken the liberty of removing the torrent program.

Here are the results from the scan:

s-0-5-92-100007856-100029268-100022057-7693.com;c:\recycler;BackDoor.Tdss.119;Deleted.;
gxvxcctyqgphhwxeqtoulkafjcynnofivhhyk.sys;c:\windows\system32\drivers;BackDoor.Tdss.223;Deleted.;
gxvxcodlchydgxpvkljrjpciqbacmqaqukpyl.dll;C:\WINDOWS\system32;BackDoor.Tdss.223;Deleted.;
gxvxcsjrsqdgppuelalcctavuuuenucvgrnkk.dll;C:\WINDOWS\system32;BackDoor.Tdss.223;Deleted.;
gxvxcdhtqmkpcovmxepkhcwmhaelnkumktucq.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.223;Deleted.;
gxvxcfqmoqelwmnrerfvmeyxvmpcbqxmpwgie.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.223;Deleted.;
gxvxcixgwrrirntjlktuwyelyarmtknthxfll.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.223;Deleted.;
gxvxclhbvdlyavqbonvkftanjtxujyutoijgv.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.223;Deleted.;
gxvxcpoaqrntusoqunwrowsviksxoexlsakda.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.223;Deleted.;
gxvxcskapfujovyqmlmkvxdutewybxjklmhjb.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.223;Deleted.;
1094984.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.119;Deleted.;
1198734.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.119;Deleted.;
1226015.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.119;Deleted.;
147859.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.119;Deleted.;
239718.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.119;Deleted.;
70632437.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.119;Deleted.;
90234.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.119;Deleted.;


I also now am able to run MBAM and am currently doing the scan.

Edited by CCS Family, 07 June 2009 - 08:08 PM.


#6 CCS Family

CCS Family
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 07 June 2009 - 08:17 PM

Here are the results from MBAM:


Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

6/7/2009 8:12:54 PM
mbam-log-2009-06-07 (20-12-54).txt

Scan type: Quick Scan
Objects scanned: 80306
Time elapsed: 4 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 2
Registry Data Items Infected: 15
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{497dddb6-6eee-4561-9621-b77dc82c1f84} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4e980492-027b-47f1-a7ab-ab086dacbb9e} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5ead8321-fcbb-4c3f-888c-ac373d366c3f} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{31f3cf6e-a71a-4daa-852b-39ac230940b4} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\{NSINAME} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ErrorFix (Rogue.ErrorFix) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ErrorFix (Rogue.ErrorFix) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\WINDOWS\system32\SysRestore.dll (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.233,85.255.112.19 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3d6fe605-788f-4833-bb82-214dcd71ca89}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.233,85.255.112.19 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ef995eb6-da9b-4714-9fc2-0d348a5e6fa3}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.113,85.255.112.175 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ef995eb6-da9b-4714-9fc2-0d348a5e6fa3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.113,85.255.112.175 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.233,85.255.112.19 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3d6fe605-788f-4833-bb82-214dcd71ca89}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.233,85.255.112.19 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ef995eb6-da9b-4714-9fc2-0d348a5e6fa3}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.113,85.255.112.175 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ef995eb6-da9b-4714-9fc2-0d348a5e6fa3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.113,85.255.112.175 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.233,85.255.112.19 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{3d6fe605-788f-4833-bb82-214dcd71ca89}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.233,85.255.112.19 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{ef995eb6-da9b-4714-9fc2-0d348a5e6fa3}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.113,85.255.112.175 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{ef995eb6-da9b-4714-9fc2-0d348a5e6fa3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.113,85.255.112.175 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\SysRestore.dll (Adware.Ascentive) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\gxvxcodlchydgxpvkljrjpciqbacmqaqukpyl.dll (Trojan.Agent) -> Quarantined and deleted successfully.

#7 CCS Family

CCS Family
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 07 June 2009 - 08:42 PM

It appears that after i rebooted for MBAM, the Trojan.Fakealert persists. I also tried this in safe mode in case it might affect it, and it had no effect. This Trojan.Fakealert is what is left over from the WinBlueSoft rogue program.

Edited by CCS Family, 07 June 2009 - 08:44 PM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,309 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:01 AM

Posted 08 June 2009 - 01:56 AM

Hello CCS Family,

Can you please re-run Malwarebytes Antimalware, do a Full Scan (do not scan in safe mode, this program works best in normal mode) and post the results?

-Redirected links through google.com
-Unable to open local disc C: by double clicking icon in My Computer. (I am able to reach it by typing C: in address bar)
"Windows cannot find 'RECYCLER\S-7-3-76...."

Are these problems still persisting? How is your computers performance now? Do you have any other complains about strange behaviour?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 CCS Family

CCS Family
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 08 June 2009 - 12:08 PM

Here are the results fo the Full Scan:

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

6/8/2009 12:06:24 PM
mbam-log-2009-06-08 (12-06-24).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 116551
Time elapsed: 24 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


And those syptoms have all be resolved. The only problem we are experiencing now is the winbluesoft program.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,309 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:01 AM

Posted 08 June 2009 - 12:19 PM

Hello CCS Family,

Lets start this simple. Go to Start > Control Panel > Add/Remove programs and see if WinBlueSoft is listed there, if so, uninstall it.
I see in your log that Malwarebytes antimalware is NOT updated. Please make sure the program is updated (checked it now, latest update is 2249) and rescan.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Edited by elise025, 08 June 2009 - 12:21 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 CCS Family

CCS Family
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 08 June 2009 - 03:21 PM

Alright here are the rsults from the SUPERAntiSypware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/08/2009 at 03:02 PM

Application Version : 4.26.1004

Core Rules Database Version : 3929
Trace Rules Database Version: 1872

Scan type : Complete Scan
Total Scan Time : 01:20:01

Memory items scanned : 240
Memory threats detected : 0
Registry items scanned : 5584
Registry threats detected : 24
File items scanned : 36851
File threats detected : 15

Adware.Tracking Cookie
C:\Documents and Settings\The Sanborns\Cookies\the_sanborns@specificclick[2].txt
C:\Documents and Settings\The Sanborns\Cookies\the_sanborns@ad.yieldmanager[1].txt
C:\Documents and Settings\The Sanborns\Cookies\the_sanborns@advertising[2].txt
C:\Documents and Settings\The Sanborns\Cookies\the_sanborns@zedo[2].txt
C:\Documents and Settings\The Sanborns\Cookies\the_sanborns@doubleclick[1].txt
C:\Documents and Settings\The Sanborns\Cookies\the_sanborns@atdmt[1].txt
C:\Documents and Settings\The Sanborns\Cookies\the_sanborns@msnaccountservices.112.2o7[1].txt
C:\Documents and Settings\The Sanborns\Cookies\the_sanborns@tacoda[2].txt
C:\Documents and Settings\The Sanborns\Cookies\the_sanborns@bs.serving-sys[1].txt
C:\Documents and Settings\The Sanborns\Cookies\the_sanborns@c7.zedo[1].txt
C:\Documents and Settings\The Sanborns\Cookies\the_sanborns@tribalfusion[2].txt
C:\Documents and Settings\The Sanborns\Cookies\the_sanborns@realmedia[1].txt
C:\Documents and Settings\The Sanborns\Cookies\the_sanborns@serving-sys[2].txt
C:\Documents and Settings\The Sanborns\Cookies\the_sanborns@ads.bleepingcomputer[2].txt
C:\Documents and Settings\The Sanborns\Cookies\the_sanborns@questionmarket[2].txt

Rootkit.Agent/Gen-GXServ
HKLM\Software\gxvxc
HKLM\Software\gxvxc\disallowed
HKLM\Software\gxvxc\disallowed#avp.exe
HKLM\Software\gxvxc\disallowed#klif.sys
HKLM\Software\gxvxc\disallowed#mrt.exe
HKLM\Software\gxvxc\disallowed#spybotsd.exe
HKLM\Software\gxvxc\disallowed#sasdifsv.sys
HKLM\Software\gxvxc\disallowed#saskutil.sys
HKLM\Software\gxvxc\disallowed#sasenum.sys
HKLM\Software\gxvxc\disallowed#superantispyware.exe
HKLM\Software\gxvxc\disallowed#szkg.sys
HKLM\Software\gxvxc\disallowed#szserver.exe
HKLM\Software\gxvxc\disallowed#mbam.exe
HKLM\Software\gxvxc\disallowed#mbamswissarmy.sys
HKLM\Software\gxvxc\disallowed#pctssvc.sys
HKLM\Software\gxvxc\disallowed#pctcore.sys
HKLM\Software\gxvxc\disallowed#mchinjdrv.sys
HKLM\Software\gxvxc\disallowed#avgfwdx.sys
HKLM\Software\gxvxc\disallowed#avgldx86.sys
HKLM\Software\gxvxc\disallowed#avgmfx86.sys
HKLM\Software\gxvxc\disallowed#avgrkx86.sys
HKLM\Software\gxvxc\disallowed#avgtdix.sys
HKLM\Software\gxvxc\disallowed#hijackthis.exe
HKLM\Software\gxvxc\disallowed#combofix.exe




***Also, it seems that the WInBLueSoft is still creating popup messages.

#12 CCS Family

CCS Family
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 08 June 2009 - 04:12 PM

Hey Elise,

I was recommended to try SmitFraudFix by a friend. He helped me to run the program in order to get rid of the rogue WinBlueSoft. It appears that it has worked. There are no more popups about fake trojans. The setup2.exe which it used for its process is not showing up. So I believe that all the infection is done. (If you feel otherwise feel free to say so).

*What program would you recommend to run for continued protection?

And I just want to say thank you very much for all the help that you've given us.

Edited by CCS Family, 08 June 2009 - 08:16 PM.


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,309 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:01 AM

Posted 09 June 2009 - 01:55 AM

Hello CCS Family,

I am glad to hear everything works fine now, but you had a rootkit on your system and those are very nasty. We cannot make sure its gone without some deeper investigation, which I can not give you in this forum. With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

Please let me know what you decide.

Indifferent of your decision, for continued protection you will need an antivirus scanner enabled (AVG is not bad, but there are better free products) and a firewall with outbound protection. XP firewall is NOT enough!

Two good antivirus programs free for non-commercial home use are Avast! and Antivir
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

I recommend that you install one of the following free firewalls (if you have none installed currently): Comodo Firewall (remember to uncheck Install Comodo Antivirus) or Zonealarm
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 CCS Family

CCS Family
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 09 June 2009 - 08:38 AM

Hey,

So I've decided to go ahead and post on the malware forum like you said. This is the link Here.

Once again thank you for the help you've given us thusfar.

Thanks!

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,309 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:01 AM

Posted 09 June 2009 - 08:41 AM

Hello CCS Family,

I saw your topic in HJT. I will request this topic to be closed.

Please be patient, the HJT forum is very busy, it will take a few days before you will get a response. Don't worry, you will get an answer.

Glad I could help so far!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users