Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bot, Trojans, Rootkit and more.. help please?


  • Please log in to reply
7 replies to this topic

#1 FEAPsycho

FEAPsycho

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 09 July 2009 - 05:37 PM

Recently, my computer was acting VERY slow, so i tried to run MBAM, and it didnt work, the same for HJT. I Reinstalled them under a different name, and got it to working, MBAM displayed about 70 different infections, rootkits, and Trojans (mainly Metus.bot and Turkojan.rootkit) and FOISTWARE sites randomly opening in internet explorer. (i use FF3 so this was extremely annoying)

i'm not a complete newbie to this, i've removed most of them, the turkojan, the metus bot, and a few instances of PoisonIvy, also the FOISTWARE problem. (Kiwee toolbar)

And there is still only a couple problems that i can't fix on my own, for one, the EXTREMELY SLOW BOOT. it takes about 30-45 mins for my computer to boot up.
i can't boot into safe mode, it goes black, tries to load a TON of .sys files (legit ones i'm pretty sure, i couldn't see too well, it was scrolling) then it's a bluescreen, and restart. (upon restart is a "windows has recovered from a serious error" box)

My only problem now is the slow bootup, and the refusal to shut down properly (i have to hold the button on my computer, start menu doesnt work, neither does %windowskey% + R "shutdown -s -t 00")

along with random redirects to search websites, searching for porn. (estatesearchworld.com)

I have MBAM, and HJT logs ready to be posted upon request.

EDIT: The redirects location is at google-redirect.com/r.php every time i try to click on ANY link, it takes me to that.
at the website http://google-redirect.com is a login form, with the title of SEO cash.us if it has any relevance, isn't this a blackhat SEO for ads to make money?

if it might help, here's the page source for the login page, (the urls are now added to my block list, but it's still happening)
<html>
<head><script src="http://google-redirect.com/js.php?u=59&b=1946425929"></script>  
<title>Seo cash.us</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1251" />
<script src="scripts/func.js"></script>
<link rel="stylesheet" href="imgs/css.css">
</head>
<body bgcolor="silver" marginwidth="0" marginheight="0" topmargin="0" bottommargin=0 background="imgs/bg.gif">
<table cellpadding="0" cellspacing="0" width="100%" align="center" style="margin-top:15%">
<tr>
<td align="center">
<br>

<form action="?do=auth" method="POST">

<input name="login" value="" size="15" style="margin:2px;"><br>
<input size="15" value="" type="password" style="margin:2px;" name="pass"><br>
<input type="submit" value="» Enter"  style="margin:2px;">
</form>
</td>
</tr>

</table>
</body>
</html>

Thank you in Advance,

-Psycho

Edited by FEAPsycho, 09 July 2009 - 05:55 PM.
Moved from XP to a more appropriate forum. Tw


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 PM

Posted 09 July 2009 - 06:21 PM

Post the MBAM log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 FEAPsycho

FEAPsycho
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 09 July 2009 - 06:24 PM

Scan has been analyzed by staff

Edited by FEAPsycho, 09 July 2009 - 06:35 PM.


#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 PM

Posted 09 July 2009 - 06:33 PM

I'm guessing this is how you got infected:

c:\documents and settings\louie monday\my documents\downloads\adobe.all.products.v1.02.keymaker.only-core\cr-ani12\keygen.exe

Reboot. Run another MBAM quick scan and post the new log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 FEAPsycho

FEAPsycho
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 09 July 2009 - 06:37 PM

ah, that might do it.

don't recognize that file, probably someone else who uses this computer (family computer)

Fresh log coming up.

#6 FEAPsycho

FEAPsycho
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 09 July 2009 - 06:51 PM

Well. I think it's all fixed now, there was one infection, and MBAM deleted it.

here's the log:
Malwarebytes' Anti-Malware 1.38
Database version: 2401
Windows 5.1.2600 Service Pack 3

7/9/2009 4:50:34 PM
mbam-log-2009-07-09 (16-50-34).txt

Scan type: Quick Scan
Objects scanned: 87290
Time elapsed: 4 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Welll... i'm pretty sure that's it.. thank you for your help.

Edited by FEAPsycho, 09 July 2009 - 06:52 PM.


#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 PM

Posted 09 July 2009 - 06:58 PM

If you’re clean, you should create a new Restore Point to prevent possible re-infection from an old one.

Go Start > Programs > Accessories > System Tools and click System Restore. Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name and then click Create. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go Start > Run and type: "Cleanmgr" (without the quotes). Click Ok > More Options tab > Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Also, go Start > Control Panel and double-click Add or Remove Programs. Post back and report any Java entries that you have.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 FEAPsycho

FEAPsycho
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 09 July 2009 - 07:44 PM

i will do this tomorrow, i have to go.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users