Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection - DNSCharger.r (Trojan), Generic FakeAlert.k (Trojan) and SetupGameVance.exe


  • Please log in to reply
12 replies to this topic

#1 brussel57

brussel57

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Long Island
  • Local time:10:16 PM

Posted 01 July 2009 - 01:07 AM

Quick background - My young teenage son clicked on pop-up for Duck Hunt. He told me after he clicked popup he got message that "something" was being installed but he couldn't stop it. And now I am infected with some kind of virus.

I ran full scan on my McAfee, rebooted when it told me to and ended with the log showing following infections on my computer:

DNSCharger.r (Trojan); Generic FakeAlert.k (Trojan); FakeAlert-SpywareGuard.gen.b (Trojan). Major location of them appear to be in c:\windowns\system32 - with different dll files. There is also message about unwanted program (log's words) SetupGamevance[1].exe in Temp Internet files\Content.IES


(I'm not sure if you need the actual path but if so I can enter them). I just can't seem to copy and paste the info or print the log out.

All are showing in the log as "cannot be removed" except for the Gamvance which shows as "cannot be repaired" and McAfee did not or cannot quarantine them.

I know that at least one of them is trying to redirect me on google search. This is what clued me in to what happened, when I was looking for a site and it tried to tell me it was at a different address from what I remembered. I'm not sure what the others will do.

Is there something I can do to get these off my computer? Can some one help me?

I am running Windows XP Home Edition Version 2002 Service Pack 3. I have an Emachine T3104. Not sure what other info I need to enter.

Thank you to anyone who can help me.
brussel57

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:16 PM

Posted 01 July 2009 - 07:22 AM

Please download Malwarebytes Anti-Malware (v1.38) and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Some types of malware will disable Malwarebytes Anti-Malware and other security tools. If MBAM will not install, try renaming it first.
  • Right-click on the mbam-setup.exe file file and rename it to mysetup.exe.
  • Double-click on mysetup.exe to start the installation.
  • If that did not work, then try renaming and changing the file extension. <- click this link if you do not see the file extension
  • Right-click on the mbam-setup.exe file, rename it to mysetup and change the .exe extension to .scr, .com, .pif, or .bat.
  • Then double-click on mysetup.scr (or whatever extension you renamed it) to begin installation.
If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.

Note: MBAM uses Inno Setup instead of the Windows Installer Service to install the program. If installation fails in normal mode, try installing and scanning in safe mode. Doing this is usually not advised as MBAM is designed to be at full power when running in normal mode and loses some effectiveness for detection & removal when used in safe mode. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Therefore, after completing a scan it is recommended to uninstall MBAM, then reinstall it in normal mode and perform another Quick Scan.

Edited by quietman7, 01 July 2009 - 07:23 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 brussel57

brussel57
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Long Island
  • Local time:10:16 PM

Posted 01 July 2009 - 07:27 PM

Hi quietman7,

Thanks for getting to me so quickly. I've done what you said in regards to downloading mbam-setup.exe. Made sure to follow the steps to disable McAfee. When I tried to disable spybot search and destroy I couldn't get it to open and finally uninstalled it so I could proceed.

Unfortunately when I tried to install mbam-setup.exe. it would not proceed, I didn't even get an error message about it. I changed the extension, and name like instructions said. No go. I finally went back to the download area for it and this time clicked run instead of save just so I could finally get it installed. However, I still can't get it to run. I made sure the option to run and update were clicked. Then I tried to click the icon and nothing happens. I even right clicked and the open. Nothing. Can't figure out what is doing it, I've never encountered this before.

This is one thing that I've noticed. I have verizon fios on my computer and there is Verizon Servicepoint on it. I chose the "stop service" button in case this is what was causing problems.

I starting to think the virus knows what I'm up to and is taking steps to stop me. Is there anything else I can do it make it work?

So to be so long winded but couldn't explain it in fewer words.

brussel57

Edited by brussel57, 01 July 2009 - 07:35 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:16 PM

Posted 01 July 2009 - 09:49 PM

If you cannot run MBAM or complete a scan in normal mode, then try performing a Quick Scan in "safe mode".

Scanning with Malwarebytes Anti-Malware in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, MBAM loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. Additionally, there are various types of malware infections which target the safeboot keyset so booting into safe mode is not always possible. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM but in some cases, there is no alternative but to do a scan in safe mode.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 brussel57

brussel57
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Long Island
  • Local time:10:16 PM

Posted 01 July 2009 - 11:37 PM

Hi quietman7

Still can't get MBAM to run. I just spent the hour and a half going into safe mode to see if it would start with no luck. I then uninstalled McAfee (will re-install later) thinking that perhaps it was interfering. Uninstalled Spybot as well. Then uninstalled MBAM and reinstalled it hoping this might work.

I'm at a lost as to why I can't get it to run. I have never encountered this before.

One thing I was thinking, if I daisy chain this drive with another drive - making this one the slave would I have the option with MBAB to choose which drive to scan?

Do you have any other suggestions?

BTW, should I let you know what the exact dll files which showed in the log as being infected?

Edited by brussel57, 02 July 2009 - 06:57 AM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:16 PM

Posted 02 July 2009 - 07:57 AM

BTW, should I let you know what the exact dll files which showed in the log as being infected?


Please download and scan with Dr.Web CureIt - alternate download link.
Follow these instructions for performing a scan in "safe mode".
If you cannot boot into safe mode, then perform your scan in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply. If you can't find the log, try to write down what was detected/removed before exiting Dr.WebCureIt so you can provide that information.

When done, see if MBAM can run.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 brussel57

brussel57
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Long Island
  • Local time:10:16 PM

Posted 02 July 2009 - 08:12 AM

Thanks, I'll install Dr.Web CureIt as soon as I get home and will post log.

I'm keeping my fingers crossed.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:16 PM

Posted 02 July 2009 - 08:59 AM

Good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 brussel57

brussel57
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Long Island
  • Local time:10:16 PM

Posted 04 July 2009 - 11:00 PM

Hi quietman7

Sorry it took so long to do what you said. I would have been done sooner but forgot I had an extra hard drive attached which was pretty much junk. Discovered it when Dr.Web CureIt kept crashing when it tried to scan it. Had to remove the extra drive in order to get CureIt to run properly. I was able to get Dr.Web CureIt to finally scan my computer. Dr. Web CureIt indicated the following problems.

c:\windows\system32\uaccadpmexwnyhrbqtqd.dll - trojan.packed.365 - moved
c:\windows\system32\uaclgmayafqbtfcxjeyl.dll - trojan.packed.365 - moved
c:\windows\system32\uacmlesvtpursiavluw.dll - backdoor.tdss.105 - deleted
c:\program files\common files:InstallHelper.exe - probably Dloader.trojan - deleted
c:\program files\Verizon\40bab397f6061abb0 - probably Dloader.trojan - moved

I notice that two of the above files are what McAfee showed me which it couldn't remove or cure. Theses are the files McAfee indicated were problems and what problems weret:

c:\windows\system32\uacaadpmexwnyhrbqtqd.dll - generic fakealert.k
c:\windows\system32\uacmlesvtporgslavtuw.dll - DNSCharger.r
c:\windows\system32\uaclgmayagqbtfcxjeyl.dll - FakeAlert-SpywareGuard.gen.b

Now that I see there are trojans, is there still hope for my computer? :thumbsup:

Edited by brussel57, 04 July 2009 - 11:05 PM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:16 PM

Posted 05 July 2009 - 06:55 AM

Can you get Malwarebytes Anti-Malware to run now? If so, perform a Quick scan in normal mode and post the log results.

IMPORTANT NOTE: One or more of the identified infections, (UAC[random characters].***) was related to a backdoor Trojan and a nasty variant of the TDSSSERV rootkit . Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 brussel57

brussel57
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Long Island
  • Local time:10:16 PM

Posted 05 July 2009 - 04:40 PM

:thumbsup: No still can't get it to Malwarebytes to run. Doesn't matter what mode I'm in. Tried all the trick with renaming and changing extension but nothing. When I click on it there is no response not even an error message. I even went to site and got another copy and reinstalled it. It's almost like something is stopping it. (hope that doesn't sound paranoid).

From what I read in your reply - it sounds like I would be better off reformatting the drive. I really wouldn't feel safe knowing there is a chance anything can be lurking on it.

Could I ask you, as a professional would you chance using a computer which had a backdoor trojan on it, even though it might appear to be "cleaned". In my heart I think I know the answer but just want to double check with someone other than myself.

BTW, would it be safe to move documents from this computer to an external drive or is there a chance of moving the virus with them? My music was on external drive which I had disconnected so I'm not worried about that but do have some papers I would rather not lose.

Edited by brussel57, 05 July 2009 - 05:45 PM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:16 PM

Posted 06 July 2009 - 05:47 AM

Your decision as to what action to take should be made by reading and asking yourself the questions presented in the "When should I re-format?" and What Do I Do? links previously provided. As I already said, in some instances an infection may leave so many remnants behind that security tools cannot find them and your system cannot be completely cleaned, repaired or trusted. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore with a vendor-specific Recovery Disk or Recovery Partition removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. Should you decide to reformat, you can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, and .html) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executable files inside them as some types of malware can penetrate and infect .exe files within compressed files too. Other types of malware may even disguise itself by adding and hiding its extension to the existing extension of file(s) so be sure you look closely at the full file name. After reformatting, scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

Should you decide to reformat and you're not sure how to do that or need help, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 brussel57

brussel57
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Long Island
  • Local time:10:16 PM

Posted 06 July 2009 - 11:29 PM

I know you can't make the decision for me as to what to do. As I said before I know in my heart what I have to do but really dread it. The infected computer is quite older and the motherboard wouldn't see hard drives over 200 gigs. I have been debating for a while on getting a new one and guess this is just a sign to do so. Luckily I have another computer which wasn't compromised which I can use in the meantime.

The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, and .html) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executable files inside them as some types of malware can penetrate and infect .exe files within compressed files too.


So any screensavers I have on the computer are pretty much gone. Not a big deal. It's my documents that I am really worried about. (Because, of course, I haven't backed them up for a while.) At least from what you say they are recoverable. Luckily my music was automatically sent to an external hard drive and never made it to the main drive. (The external wasn't hooked up to the computer when everything went down so they aren't involved)

But when you say files with html extensions - would that include my favorites/bookmarks of websites?

If so, would it be safe to create a text document in notepad with the addresses of the different websites I have marked?
I know that notepad will not show hyperlinks as oppose to word or wordperfect which could show the hyperlinks in the document. That way I can still recover them later.

Sorry to keep bothering you. Just want to make sure I cover everything before taking the computer out of commission.

Edited by brussel57, 06 July 2009 - 11:29 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users