Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with win32/PSW.OnLineGames.NNU trojan


  • Please log in to reply
18 replies to this topic

#1 prabsi

prabsi

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 29 June 2009 - 12:49 AM

Dear friends in BC

Pl note that I am resending this request as I did not get any replies from ur team to my post which I mailed on 27th June.

I am indebted to you all for the help and knowledge I am receiving from time to time from your end. It is a wonderful & selfless service you are doing to all the computer fraternity around the Globe and it is absolutely amazing. I have not only benefited by your expert advise but also have created awareness among all my friends about your website and the quality of advise one gets here. Needless to say that they all have become regular visitors to this site. Long live "Bleeping Computer" and wish you all the best.

Of late, I have been observing erratic behaviour in my laptop and realised that it must have been infested. Though it is a old laptop, it is not slow under normal circumstances.I have Nod32 Anti virus which normally loads at the startup and starts running. But since the infection, I saw that NOD32 took too much time to load. I also had Adaware in the system which also started to behave erratically. Whenever I went for definition update, an error message used to come. I could still manage to scan the computer using Adaware but it did not detect anything other than some MRU items.But NoD32 scan resulted in finding the Win32/PSW.OnLineGames.NNU trojan which was quarantined. But soon I realised that I could no more see my hidden & system files. This option is not working now. When I go to folder option> view> and select "show hidden files"... The selection again goes back to "Do not show hidden files".
Then I tried to view those hidden files by going to Search >option> search all hidden files in all drives. I gave an option to search for all files created within the past couple of days and I got to see some new "exe" files & autorun files in both C & D drives. In my comp, the D drive itself is the primary drive in the place of C drive ( it was like that when I bought it as a second hand system) and C is the drive which is used for storing other data. I saw files by name "y6yol.exe" and an "autorun.inf". I think there was also another file by name "gbm6n.exe". I selected and deleted them. I ran NOD32 again & found the same trojan being detected and utomatically getting deleted.Then, when I tried to restart the system it was giving error message at the startup that "MWSBAR.dll" & "M3PLUGIN.DLL files are not able to load". For the time being I have disabled them both from the startup list. I did the same scan once again by disabling system restore on all drives. This time, however,there was no infection found. But I still can't see my hidden files. As my Adaware was causing problems to load, I uninstalled it . But now I am unable to reinstall it. The installation process stops abruptly with an error message.
I have tried every possible thing within my limited knowledge to remove this mess. As I am not successful, I have come to seek ur help. Kindly go through this mail and do the needful. Also suggest me some precautionary measures which I should take in order to avoid such mishaps in the future.

Thank you in advance

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:38 AM

Posted 29 June 2009 - 12:54 AM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 prabsi

prabsi
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 30 June 2009 - 11:20 PM

Dear Budapest

Thanks for your kind and quick response. I have done the scan with MBAM and posting the log for your reference. Pl go through it and advise.

Warm regards.....
Prabsi
--------------------------------------------------------------------------------------------------------------------------------------------------------

MBAM LOG:

Malwarebytes' Anti-Malware 1.38
Database version: 2357
Windows 5.1.2600 Service Pack 2

7/1/2009 8:30:38 AM
mbam-log-2009-07-01 (08-30-38).txt

Scan type: Quick Scan
Objects scanned: 84021
Time elapsed: 3 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e0de227-5ce4-4ea3-ab0c-8b03e1aa76bc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdoosoft (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:38 AM

Posted 30 June 2009 - 11:27 PM

Reboot your computer, run the Malwarebytes full-scan and post the new log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 prabsi

prabsi
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 02 July 2009 - 01:17 AM

Dear budapest

Thank u for the reply. I am herewith sending you the "full scan" log of MBAM for your reference. Pl go through it and advise. Kindly advise me on the possible precautions I should take in order to avoid such infections in the future.

Thanking you once again.

Prabsi

-----------------------------------------------------------------
MBAM Full scan Log


Malwarebytes' Anti-Malware 1.38
Database version: 2357
Windows 5.1.2600 Service Pack 2

7/1/2009 10:16:59 AM
mbam-log-2009-07-01 (10-16-59).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 120284
Time elapsed: 14 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:38 AM

Posted 02 July 2009 - 01:23 AM

Let's run another scan as a double check:

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 prabsi

prabsi
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 03 July 2009 - 03:53 AM

Dear Budapest

Pl find the scan log of Superantispyware for your reference.

Thank u again.
-----------------------------------------------------------------------------------------------------------------------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/03/2009 at 01:29 PM

Application Version : 4.26.1006

Core Rules Database Version : 3969
Trace Rules Database Version: 1909

Scan type : Complete Scan
Total Scan Time : 01:59:49

Memory items scanned : 214
Memory threats detected : 0
Registry items scanned : 5094
Registry threats detected : 23
File items scanned : 36895
File threats detected : 1

Adware.MyWebSearch/FunWebProducts
HKU\S-1-5-21-839522115-1659004503-725345543-1003\SOFTWARE\FunWebProducts
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService#Type
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService#Start
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService\Security
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService\Enum
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService\Enum#NextInstance

Trojan.Downloader-Gen/Suspicious
C:\SOF_BACKUP\ACALA DVD CREATOR V2.8.5\KEYGEN\KEYGEN.EXE

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:38 AM

Posted 05 July 2009 - 04:39 PM

How's your computer running now?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 prabsi

prabsi
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 06 July 2009 - 05:14 AM

Dear Budapest

My Comp is running normal. Thanks for all the advice. What's my next step now?

Prabsi

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:38 AM

Posted 10 July 2009 - 03:40 PM

Sorry for the late reply.

If you’re clean, you should create a new Restore Point to prevent possible re-infection from an old one.

Go Start > Programs > Accessories > System Tools and click System Restore. Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name and then click Create. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go Start > Run and type: "Cleanmgr" (without the quotes). Click Ok > More Options tab > Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Also, go Start > Control Panel and double-click Add or Remove Programs. Post back and report any Java entries that you have.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 prabsi

prabsi
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 14 July 2009 - 03:30 AM

Dear Budapest

I have created the restore point. I checked up with the programs and I didn't see any java entries.

Do I need to keep the MBAS & Superantispyware in the system and do regular scannings???

Kindly advise me on my next step.

Thanks again..

Prabsi

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:38 AM

Posted 14 July 2009 - 04:12 PM

MBAM and SAS are both excellent scanners and it wouldn't hurt to keep them and run an occasional scan.

Some reading material

http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/

Other than that you are good to go.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#13 prabsi

prabsi
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 15 July 2009 - 12:37 AM

Dear Budapest

Ok ....I went thru the reading material.....I will do all that........

!) Can u kindly eloborate on that "Java entries " u were mentioning in ur last mail?..What are they...and what do they indicate??

2) While scanning with SAS, u had asked me to only select few of the scanning preferences. Should I scan only with those preferences in the future also?. What about using other preferences???

Prabsi

Edited by prabsi, 15 July 2009 - 12:42 AM.


#14 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:38 AM

Posted 15 July 2009 - 12:54 AM

Java ™ 6 Update 14 is the current one. Any older, out-of-date, ones should be removed.

I don't have a copy of SUPERAntiSpyware installed on the machine I'm using at the moment. What other preferences are you thinking about?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#15 prabsi

prabsi
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 15 July 2009 - 10:43 AM

Dear Budapest

1) In my Add/Remove program list I don't have any Java update at all (not even the older versions). Does this imply anything?

2) In that SAS, IN PREFERENCES>SCANNING CONTROL> SCANNER OPTIONS....It has various options like....

Ignore files larger than 4mb(recommended)
Ignore non-executable files (recommended)
Ignore system restore/Volume information on ME/XP
Scan only known files (.exe,.com,.dll,etc..)
Close browesers before scanning (u have suggested to select this option)
Scan for tracking cookies (u have suggested to select this option)
Resolve links/Shortcuts during scan(.ink)
Terminate memory threats before quarantining (u have suggested to select this option)
Scan alternate data streams
Use kernel Direct File access (recommended)
Use kernel Direct Registry Access(recommended)
Use Direct Disk Access (recommended)
Display scan option in Explorer context (right-click) menu

So my quiry is.... is it enough if i select only those 3 options among all the above?.....What about other options?.......

Thanks

Prabsi




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users