Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Infection?


  • Please log in to reply
10 replies to this topic

#1 billythekid69

billythekid69

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:55 PM

Posted 10 July 2009 - 12:59 PM

First time here, go easy on me. Hope this is the right place to post.

Think I have a redirect virus. Using Windows XP, Firefox and Google (same thing with IE and other search engines).

Almost all searches end up at totally unrelated sites or ads with some common threads.

I have run:
Malwarebytes
Spybot
AVG
SpyDoctor

They have found nothing.

Any help would be appreciated.

Thanks, Bill

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:55 PM

Posted 10 July 2009 - 01:30 PM

Hello billythekid69 and :thumbsup: to BleepingComputer.

Let us see if we can zap this bugger :flowers:

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

***************************************************

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (uncheck all others):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
In your next reply, please include the following:
SUPERAntiSpyware Log

Edited by Blade Zephon, 10 July 2009 - 01:30 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 billythekid69

billythekid69
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:55 PM

Posted 10 July 2009 - 08:31 PM

Here is the log from SuperAntiSpyware:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/10/2009 at 02:47 PM

Application Version : 4.26.1006

Core Rules Database Version : 3985
Trace Rules Database Version: 1925

Scan type : Complete Scan
Total Scan Time : 02:01:53

Memory items scanned : 314
Memory threats detected : 0
Registry items scanned : 7464
Registry threats detected : 13
File items scanned : 62502
File threats detected : 1

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{3FFE90FB-0431-4ED5-AF76-8BF8AE7E0B35}
HKCR\CLSID\{3FFE90FB-0431-4ED5-AF76-8BF8AE7E0B35}
HKCR\CLSID\{3FFE90FB-0431-4ED5-AF76-8BF8AE7E0B35}\InprocServer32
HKCR\CLSID\{3FFE90FB-0431-4ED5-AF76-8BF8AE7E0B35}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\URQRQJIX.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3FFE90FB-0431-4ED5-AF76-8BF8AE7E0B35}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{3FFE90FB-0431-4ED5-AF76-8BF8AE7E0B35}
HKU\S-1-5-21-283629275-3374621811-1598816260-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FFE90FB-0431-4ED5-AF76-8BF8AE7E0B35}
HKCR\CLSID\{3FFE90FB-0431-4ED5-AF76-8BF8AE7E0B35}

Rogue.Component/Trace
HKLM\Software\Microsoft\1CEE4005
HKLM\Software\Microsoft\1CEE4005#1cee4005
HKLM\Software\Microsoft\1CEE4005#Version
HKLM\Software\Microsoft\1CEE4005#1ceeed85
HKLM\Software\Microsoft\1CEE4005#1cee8460

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:55 PM

Posted 12 July 2009 - 08:53 AM

Hello,

How is the computer running now?

Edited by Blade Zephon, 12 July 2009 - 08:53 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 billythekid69

billythekid69
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:55 PM

Posted 12 July 2009 - 09:58 AM

The first 4 or 5 searches work ok, then they are all redirected. Guess I still got the bug.

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:55 PM

Posted 12 July 2009 - 06:51 PM

Hello,

Firstly, sorry for my initial delay in getting back to you. I was sick in bed all Saturday. Thankfully, I am feeling much better today. :thumbsup:


I know you said you ran Malwarebytes already, but I would like to try running it again now that SUPERAntiSpyware has removed some of the infection. Please update Malwarebytes, then run a quick scan in Normal Mode. Please post the log back here for my review.

***************************************************

Additionally, I'd like for you to run this scan.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
In your next reply, please include the following:
Malwarebytes Log
Dr. Web Cureit Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 billythekid69

billythekid69
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:55 PM

Posted 13 July 2009 - 12:53 PM

Glad you're feeling better and really appreciate your help. I've done as requested and did some searching - no redirection as of yet.

If this has done the trick, any suggestions on avoiding more infections? Also, do you take donations?


Malwarebytes' Anti-Malware 1.38
Database version: 2413
Windows 5.1.2600 Service Pack 3

7/12/2009 6:32:41 PM
mbam-log-2009-07-12 (18-32-41).txt

Scan type: Quick Scan
Objects scanned: 101471
Time elapsed: 5 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




skynetlkpokyha.sys;c:\windows\system32\drivers;Trojan.Packed.2479;Incurable.Moved.;
SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\Documents and Settings\br\My Documents\Downloads\SmitfraudFix.exe;Tool.Prockill;;
SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\Documents and Settings\br\My Documents\Downloads\SmitfraudFix.exe;Tool.ShutDown.14;;
SmitfraudFix.exe;C:\Documents and Settings\br\My Documents\Downloads;Archive contains infected objects;Moved.;
Process.exe;C:\Program Files\Mozilla Firefox\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Program Files\Mozilla Firefox\SmitfraudFix;Tool.ShutDown.14;Incurable.Moved.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;
SKYNETsjdahrkg.dll;C:\WINDOWS\system32;Trojan.DownLoad.38278;Deleted.;
SKYNETsrjildfn.dll;C:\WINDOWS\system32;Trojan.Packed.2479;;
SKYNETlkpokyha.sys;C:\WINDOWS\system32\drivers;Trojan.Packed.2479;Incurable.Moved.;
SKYNETacsupwfuen.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETadtxothlkr.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETapfdkodepl.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETbbhpafjxbg.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETbbsimqieqb.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETbcxrvhxspp.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETblkkbeokfb.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETbmqbsecepd.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETcbhiitpdhy.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETcbkgaiofgg.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETcktikbuyvo.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETcvfinmdtpq.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETdbpfwpvpoj.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETdglrtfpfki.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETdkbkqbgqeb.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETdmllrowrfb.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETduvtwjmhxl.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETebuaxvyttt.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETegjycasete.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETegkekulidi.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETenosjxeefc.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETeuyndlqlol.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETevvpsbsagq.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETfjjytmaaxm.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETfwevognfpf.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETgpfsdiedyh.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETgtwuuumsbh.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETguqiqrckuo.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNEThpdfobnqoe.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNEThynpcycisw.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNEThyxonelhij.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNEThyyvljrbip.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETibyuduksvd.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETilnvsrnwki.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETiqiqfltogg.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETitklrmgyjc.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETiyvtqdrhkw.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETjgmljklftf.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETjjvsfghmlm.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETkasvqtegwk.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETkgheehqxmp.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETksexmbesnt.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETkvnvlrqvse.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETkynaxkjesd.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETlbsrrmensc.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETlffgqvcstb.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETlnkxyiapdu.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETlykhsvltoq.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETmirmpoboat.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETmyihoujxyr.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETmyiyqbfdfj.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETmykqixvtjm.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETootnikmehg.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETorlelkvplx.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETpvbrngypew.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETpvcxjsevpo.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETpxrwcfovsq.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETqbtvkrmufw.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETqebsxqufsl.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETqmrfisldkj.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETqmwbvpdmcv.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETqnxwhpyyek.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETqqvpeqxkky.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETqthhqelfns.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETqwdwsibjqq.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETqxdcpuvlmr.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETrdvilpsbbd.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETrfsiboxgre.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETryvtslewgp.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETslucbskpvm.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETslxuelbqet.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETssdiwxteut.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETtbcyjonpfs.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETtbukndyuok.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETtntiwcpqtu.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETttotilehvm.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETtvmbtdrwut.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETtvmygwrdof.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETudhvpfpiej.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETuvtygpsggx.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETvetonjgrjd.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETvissovyvym.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETvkegyoqptu.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETvoqekcequh.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETvqnxaipnlx.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETvqpawmmbrc.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETwltqgoicuw.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETwncefptbnp.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETwqsqdaohyy.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETwrjnxwtlga.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETxaetwygqnn.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETxdvoggcsea.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETxjdvlwmbjp.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETyeivssfbvp.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETyffhqbrfyn.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETyflweleplf.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
SKYNETyybraejoar.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.38278;Deleted.;
SKYNETyyuprkokaq.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:55 PM

Posted 13 July 2009 - 02:06 PM

Hello,

Wowsers. . . look at all that. :thumbsup:

Please take note of the following:

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

***************************************************

Okay, looks like we cleaned up most of the infection, but I'd like to run an online scan just to be sure.

ESET Online Scan

Sometimes malware that is removed from your computer leaves other traces behind. These traces may not be active, but they are unwanted on your computer.
Therefore, by using ESET online scanner it is possible for us to find leftover or missed malware files on your computer and we can now further clean up your computer
.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
Posted Image
You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Please submit the ESET report for my review.

In your next reply, please include the following:
ESET Online Report

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 billythekid69

billythekid69
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:55 PM

Posted 13 July 2009 - 06:03 PM

No threats were found.

#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:55 PM

Posted 13 July 2009 - 09:55 PM

Fantastic! :thumbsup: Your machine appears to be clean!

any suggestions on avoiding more infections?



Disable and Enable System Restore. - You should disable and enable system restore to make sure there are no infected files found in a restore point. You can find instructions on how to disable and enable system restore here: Windows XP System Restore Guide

Re-enable system restore with instructions from tutorial above.

Next, please hide your System Files. To do this, please refer to the following guide and reverse its steps: "How To See Hidden Files in Windows."


This should give you a good start into malware free pc usage. However I do suggest to visit the following additional information listed below:I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Another recommendation, is to download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atl east one of them (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

do you take donations?

I'm still in training, so I do not have a donation system set up at this point. A simple thanks is more than enough :flowers:

~Blade

Edited by Blade Zephon, 13 July 2009 - 09:55 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 billythekid69

billythekid69
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:55 PM

Posted 14 July 2009 - 10:14 AM

Alright then - thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users