Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan


  • Please log in to reply
8 replies to this topic

#1 JeffAST

JeffAST

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:27 AM

Posted 22 June 2009 - 10:32 PM

I got this virus 2 hours ago, I was just surfing ThePirateBay and Google and obviously got hacked cause I didn't download anything. It brought up a bunch of pop ups with IE, loaded a fake spyware scanner, changed my wallpaper, wouldin't let me open any virus scanner, I started getting audio commericals playing out of the speakers, I'm just trying to get rid of the rest of it now. I restarted in safe mode, Uninstalled the entrys below from HiJackThis, restarted, and got rid of liser.exe and Trojan agent/exe with Enigma SpyHunter.

C:\Program Files\Manson\liser.exe
liser.exe
liser.dll
e5yw3yhaqghraewh3ye3hbsshsnqqa81
96474056
kell
wiawow32
iexplore.exe
Dailybucks_Install.exe
tpsaxyd.exe


e-mail me at: Email address removed to prevent spam bots and they aren't permitted~~boopme

Edited by boopme, 23 June 2009 - 10:32 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,058 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:27 AM

Posted 22 June 2009 - 10:45 PM

Hello and welcome.I am moving this to the Am I Infected forum as that would be a netter place.

Hello and welcome please run these next. If you have Spybot installed temporarily disable it.
Next run ATF:
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 JeffAST

JeffAST
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:27 AM

Posted 22 June 2009 - 11:34 PM

renaming mbam worked and here's the scan results, i hope thats the rest of the virus:
xpreapp
uacinit.dll
comsa32.sys
sopidkc
FInstall.sys
Sopidkc.exe
HKEY_Local_Machine\software\UAC

#4 JeffAST

JeffAST
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:27 AM

Posted 23 June 2009 - 01:46 AM

I installed Nod32 and its finding more.

Rootkit.Agent.ODG Trojan (unable to remove)
Win32/Starter.NAE Trojan
net.net TrojanClicker.Punad.AA Trojan

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:27 AM

Posted 23 June 2009 - 06:57 AM

Please post the complete results of your MBAM scan for boopme to review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 JeffAST

JeffAST
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:27 AM

Posted 23 June 2009 - 08:34 PM

Download Combofix and rename it to FixCombo
Restart in safe mode with networking
Run Combofix and it will remove all the files associated with virus

Malwarebyte's found 6 files, ESET found 5 but couldn't remove them, HiJackThis helped a little, SpyHunter came up with 8 results, TuneUp Utilities got rid of the old restore points, ComboFix is the only thing that will actually delete all 184 files associated with this rootkit virus thats been spreading all over the web.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:27 AM

Posted 23 June 2009 - 09:14 PM

Please note the message text in blue at the top of this forum.

You should not be using Combofix unless instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Combofix was never meant to be used as a general purpose malware scanner like SuperAntispyware or Malwarebytes' Anti-Malware. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer. That's the decision by the creator and we will abide by that decision.

Further, you should not be recommending its use. Please read the pinned sticky How do I get help? Who is helping me?

Posting instructions for the use of the following by non-staff members is prohibited in this area, as well as in all other areas of the forums. This list contains tools and procedures that are forbidden, the instructions for using similar tools or procedures should not be posted here, or elsewhere on Bleeping Computer forums, without prior Staff approval.

Manual file removal instruction
ComboFix instructions or discussion
SDFix instruction
Registry instruction
Automated registry cleaners
HiJackThis instructions (logs are for review only)
Custom scripts, batch files.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 JeffAST

JeffAST
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:27 AM

Posted 23 June 2009 - 10:14 PM

Yeah, well I spent 20 hours using every other virus scanner and they only removed a couple of files. I had audio coming out of my speakers with people reading advertisements to me while i tried to remove the virus. More and more people have been getting infected with this virus that appeared 2 weeks ago and MBam isnt gonna remove it for anyone.

Edited by JeffAST, 23 June 2009 - 10:20 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:27 AM

Posted 24 June 2009 - 07:47 AM

If MBAM could not run, there are other tools that can be used in this forum and boopme would have gotten to some of them if you continued to have problems.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users