Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32:Falder [Trj]


  • Please log in to reply
16 replies to this topic

#1 Musical_Nymph

Musical_Nymph

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:01 AM

Posted 20 June 2009 - 07:36 PM

Avast! had a warning that I was infected with this. There were more pop-ups as well with other warnings.

I put all of them into the chest. I looked at where they are, and the original location for Win32:Falder [Trj] is in the C:\Windows\Temp. I scanned the file within Avast! and this was the message I got:

Virus has been detected!
File Name: 2289611.tmp
FileID: 9
Virus Description: Win32:Falder [Trj]


I did a boot-time scan and the results said there were no infected files. As soon as Avast! found it, I could hear something being played on my computer. I turned up the volume and it was voice ads. Mostly for laundry detergent.

All the others say the original location is in my Temporary Internet Files\Content.IE5\'Random numbers/letters'.

I've tried opening Malwarebyte's Anti-Malware, but nothing happens when I do. I've tried several times before and after the boot-time scan.

I google'd some online help, and saw this site, I thought I'd post as I'm not very techy. I'm freaking out a bit because I don't know what else to do.

I am running Windows Vista: Home Premium. I have SP1. Don't know what else to add. Any help will be much appreciated. Thank you in advance.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:01 AM

Posted 20 June 2009 - 08:02 PM

Hello and welcome. This looks like a varaiant of zlob and fakealter Trojan.

Please run Part 1 of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm



Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Musical_Nymph

Musical_Nymph
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:01 AM

Posted 20 June 2009 - 08:25 PM

Hello, and thank you for your quick reply.

I downloaded and ran SmitFraudFix. I needed to run it as an administrator for it to work. Here is the log:

SmitFraudFix v2.422

Scan done at 20:12:02.09, 20-Jun-09
Run from C:\Users\Tana-Banana\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6001] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\system32\rundll32.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\temp\2289408.tmp
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\ashChest.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Tana-Banana\Desktop\SmitfraudFix\Policies.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Tana-Banana


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\TANA-B~1\AppData\Local\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Tana-Banana\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\TANA-B~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]




»»»»»»»»»»»»»»»»»»»»»»»» DNS

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Atheros AR5007EG Wireless Network Adapter
DNS Server Search Order: 85.255.112.73
DNS Server Search Order: 85.255.112.7

HKLM\SYSTEM\CCS\Services\Tcpip\..\{BD700D70-4407-43E8-AA8B-DDA1E4D7C854}: DhcpNameServer=85.255.112.73,85.255.112.7
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BD700D70-4407-43E8-AA8B-DDA1E4D7C854}: NameServer=85.255.112.73,85.255.112.7
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C69A1454-6DB0-4BD9-A237-987EFAFB88F6}: DhcpNameServer=208.67.222.222 208.67.220.220 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C69A1454-6DB0-4BD9-A237-987EFAFB88F6}: NameServer=85.255.112.73,85.255.112.7
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BD700D70-4407-43E8-AA8B-DDA1E4D7C854}: DhcpNameServer=85.255.112.73,85.255.112.7
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BD700D70-4407-43E8-AA8B-DDA1E4D7C854}: NameServer=85.255.112.73,85.255.112.7
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C69A1454-6DB0-4BD9-A237-987EFAFB88F6}: DhcpNameServer=208.67.222.222 208.67.220.220 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C69A1454-6DB0-4BD9-A237-987EFAFB88F6}: NameServer=85.255.112.73,85.255.112.7
HKLM\SYSTEM\CS3\Services\Tcpip\..\{BD700D70-4407-43E8-AA8B-DDA1E4D7C854}: DhcpNameServer=85.255.112.73,85.255.112.7
HKLM\SYSTEM\CS3\Services\Tcpip\..\{BD700D70-4407-43E8-AA8B-DDA1E4D7C854}: NameServer=85.255.112.73,85.255.112.7
HKLM\SYSTEM\CS3\Services\Tcpip\..\{C69A1454-6DB0-4BD9-A237-987EFAFB88F6}: DhcpNameServer=208.67.222.222 208.67.220.220 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{C69A1454-6DB0-4BD9-A237-987EFAFB88F6}: NameServer=85.255.112.73,85.255.112.7
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=208.67.222.222 208.67.220.220 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.112.73,85.255.112.7
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=208.67.222.222 208.67.220.220 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.112.73,85.255.112.7
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=208.67.222.222 208.67.220.220 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=85.255.112.73,85.255.112.7


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

I already have MBAM installed. I tried running it, once again, as an administrator and I got an error message "MBAM has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available." I tried renaming it to 'zztoy' as you suggested and still nothing. The same thing happened when I tried it as an administrator, before I renamed it.

Should I go into Safe Mode and try again and post what happens?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:01 AM

Posted 20 June 2009 - 09:20 PM

Hi and you are welcomew.. Ok we have a few things to do then . malware is causing interference..

We need to run another part of Smitfraudfix..

Double-click smitfraudfix.exe to start the tool again.
Select option #5 - Search and clean DNS Hijack by typing 5 and press "Enter".
After running SmitFraudFix, a text file named rapport.txt will have automatically been saved to the root of the system drive at C:\rapport.txt.
Post that back.

Now open MBAM. Click the Update tab and update,then try scanning. Post that log too.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Musical_Nymph

Musical_Nymph
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:01 AM

Posted 20 June 2009 - 09:39 PM

Before I do that, I went ahead and tried to run MBAM in safe mode. I got it to load and did a quick scan. I didn't clear anything, but I did save a log. I'll post it now.

Malwarebytes' Anti-Malware 1.34
Database version: 1807
Windows 6.0.6001 Service Pack 1

20-Jun-09 21:23:08
mbam-log-2009-06-20 (21-23-04).txt

Scan type: Quick Scan
Objects scanned: 58049
Time elapsed: 2 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 12
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.73,85.255.112.7 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bd700d70-4407-43e8-aa8b-dda1e4d7c854}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.73,85.255.112.7 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bd700d70-4407-43e8-aa8b-dda1e4d7c854}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.73,85.255.112.7 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c69a1454-6db0-4bd9-a237-987efafb88f6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.73,85.255.112.7 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.73,85.255.112.7 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{bd700d70-4407-43e8-aa8b-dda1e4d7c854}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.73,85.255.112.7 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{bd700d70-4407-43e8-aa8b-dda1e4d7c854}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.73,85.255.112.7 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c69a1454-6db0-4bd9-a237-987efafb88f6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.73,85.255.112.7 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.73,85.255.112.7 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{bd700d70-4407-43e8-aa8b-dda1e4d7c854}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.73,85.255.112.7 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{bd700d70-4407-43e8-aa8b-dda1e4d7c854}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.73,85.255.112.7 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c69a1454-6db0-4bd9-a237-987efafb88f6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.73,85.255.112.7 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Tried to run SFF again, and I got a pop up asking me if I wanted to set my network to dynamic -DHCP- Server. The options are yes or no. Should I select 'No'?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:01 AM

Posted 20 June 2009 - 10:30 PM

Hii, First Try to run MBAm in Normal mode unless you cannot. It is strongrt that way. Use DHCP, choose YES.
Usually the " No action taken" means you did not select .."Remove Selected" after the scan.


Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Edited by boopme, 20 June 2009 - 10:31 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Musical_Nymph

Musical_Nymph
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:01 AM

Posted 20 June 2009 - 10:45 PM

I chose 'Yes' in SFF. Here is the report from that:

SmitFraudFix v2.422

Scan done at 21:28:06.87, 20-Jun-09
Run from C:\Users\Tana-Banana\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6001] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» DNS Before Fix

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Atheros AR5007EG Wireless Network Adapter
DNS Server Search Order: 85.255.112.73
DNS Server Search Order: 85.255.112.7

HKLM\SYSTEM\CCS\Services\Tcpip\..\{BD700D70-4407-43E8-AA8B-DDA1E4D7C854}: DhcpNameServer=85.255.112.73,85.255.112.7
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BD700D70-4407-43E8-AA8B-DDA1E4D7C854}: NameServer=85.255.112.73,85.255.112.7
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C69A1454-6DB0-4BD9-A237-987EFAFB88F6}: DhcpNameServer=208.67.222.222 208.67.220.220 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C69A1454-6DB0-4BD9-A237-987EFAFB88F6}: NameServer=85.255.112.73,85.255.112.7
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BD700D70-4407-43E8-AA8B-DDA1E4D7C854}: DhcpNameServer=85.255.112.73,85.255.112.7
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BD700D70-4407-43E8-AA8B-DDA1E4D7C854}: NameServer=85.255.112.73,85.255.112.7
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C69A1454-6DB0-4BD9-A237-987EFAFB88F6}: DhcpNameServer=208.67.222.222 208.67.220.220 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C69A1454-6DB0-4BD9-A237-987EFAFB88F6}: NameServer=85.255.112.73,85.255.112.7
HKLM\SYSTEM\CS3\Services\Tcpip\..\{BD700D70-4407-43E8-AA8B-DDA1E4D7C854}: DhcpNameServer=85.255.112.73,85.255.112.7
HKLM\SYSTEM\CS3\Services\Tcpip\..\{BD700D70-4407-43E8-AA8B-DDA1E4D7C854}: NameServer=85.255.112.73,85.255.112.7
HKLM\SYSTEM\CS3\Services\Tcpip\..\{C69A1454-6DB0-4BD9-A237-987EFAFB88F6}: DhcpNameServer=208.67.222.222 208.67.220.220 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{C69A1454-6DB0-4BD9-A237-987EFAFB88F6}: NameServer=85.255.112.73,85.255.112.7
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=208.67.222.222 208.67.220.220 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.112.73,85.255.112.7
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=208.67.222.222 208.67.220.220 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.112.73,85.255.112.7
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=208.67.222.222 208.67.220.220 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=85.255.112.73,85.255.112.7

»»»»»»»»»»»»»»»»»»»»»»»» DNS After Fix

Description: Atheros AR5007EG Wireless Network Adapter
DNS Server Search Order: 208.67.222.222
DNS Server Search Order: 208.67.220.220
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{C69A1454-6DB0-4BD9-A237-987EFAFB88F6}: DhcpNameServer=208.67.222.222 208.67.220.220 192.168.1.1

MBAM ran after that in normal mode. Here is the log from that scan:

Malwarebytes' Anti-Malware 1.38
Database version: 2317
Windows 6.0.6001 Service Pack 1

20-Jun-09 22:43:51
mbam-log-2009-06-20 (22-43-51).txt

Scan type: Quick Scan
Objects scanned: 80331
Time elapsed: 3 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\SeekingAlpha (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SeekingAlpha (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\BlueRaTech (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlueRaTech (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\Users\Tana-Banana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BlueRaTech (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\BlueRaTech (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\Users\Tana-Banana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SeekingAlpha (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\SeekingAlpha (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
c:\Users\tana-banana\AppData\Roaming\microsoft\Windows\start menu\Programs\blueratech\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\program files\blueratech\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\Users\tana-banana\AppData\Roaming\microsoft\Windows\start menu\Programs\seekingalpha\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\program files\seekingalpha\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\MSIVXcount (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\System32\MSIVXkvreurvihudxxcpfmeyrcinhycmithen.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\System32\MSIVXpbfaquqvpyvvxpblfcipwnophpbygewx.dll (Trojan.Agent) -> Quarantined and deleted successfully.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:01 AM

Posted 20 June 2009 - 11:13 PM

Ok, we are making progress. You had an old copy of MBAM there. Whenever you scan always check for updates first.

Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then <a href="http://www.superantispyware.com/" target="_blank" rel="nofollow"> SUPERAntiSpyware

</a>, Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you

should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Now we will work on the DNS changer,,,,
Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled
"reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about
10 seconds). If you don’t know the router's default password, you can look it up HERE.

Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Once you have ran Malwarebytes' Anti-Malware on the infected system, and reset the router to its default configuration you can reconnect to the internet, and router.

Edited by boopme, 20 June 2009 - 11:18 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Musical_Nymph

Musical_Nymph
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:01 AM

Posted 21 June 2009 - 01:21 AM

All right, here is the log from Super:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/21/2009 at 01:05 AM

Application Version : 4.26.1004

Core Rules Database Version : 3949
Trace Rules Database Version: 1891

Scan type : Complete Scan
Total Scan Time : 01:23:38

Memory items scanned : 282
Memory threats detected : 0
Registry items scanned : 7476
Registry threats detected : 0
File items scanned : 152367
File threats detected : 4

Adware.Tracking Cookie
C:\Users\Tana-Banana\AppData\Roaming\Microsoft\Windows\Cookies\tana-banana@advertising[1].txt
C:\Users\Tana-Banana\AppData\Roaming\Microsoft\Windows\Cookies\tana-banana@at.atwola[1].txt
C:\Users\Tana-Banana\AppData\Roaming\Microsoft\Windows\Cookies\tana-banana@atwola[1].txt
C:\Users\Tana-Banana\AppData\Roaming\Microsoft\Windows\Cookies\tana-banana@tacoda[2].txt


I will post the edited part you added in a moment.

EDIT:

Here's the log after I reset the router.

Malwarebytes' Anti-Malware 1.38
Database version: 2317
Windows 6.0.6001 Service Pack 1

21-Jun-09 01:38:09
mbam-log-2009-06-21 (01-38-09).txt

Scan type: Quick Scan
Objects scanned: 79808
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Musical_Nymph, 21 June 2009 - 02:24 AM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:01 AM

Posted 21 June 2009 - 12:04 PM

Looks pretty good,any redirects??
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Musical_Nymph

Musical_Nymph
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:01 AM

Posted 21 June 2009 - 12:05 PM

Hello again. Was that my last step? Not to seem pushy or annoying, but I would really like to get this finished asap. Thanks! :thumbsup:

Edit: LOL. I guess I was a little too quick to respond. Anyway, I had my internet off last night. Nothing yet, as I just turned it back on.

Edited by Musical_Nymph, 21 June 2009 - 12:07 PM.


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:01 AM

Posted 21 June 2009 - 01:04 PM

Hi,I was waiting to see how it was. If there are no more symptoms then....
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Musical_Nymph

Musical_Nymph
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:01 AM

Posted 21 June 2009 - 01:24 PM

I created a new restore point. I have a question though. I don't use Disk Cleanup, I use CCleaner. Will it suffice to use CCleaner instead? I have it on the most secure removal possible (Gutman 32 or whatever it is).

#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:01 AM

Posted 21 June 2009 - 01:58 PM

In order to flush your restore points, you have to use Disk Cleanup.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#15 Musical_Nymph

Musical_Nymph
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:01 AM

Posted 21 June 2009 - 02:06 PM

Okay, thanks. :thumbsup: I was just wondering cause I like to learn about this stuff.

Did the Disk Cleanup as asked.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users