Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virus/trojan attack - now .exe .com files blocked


  • Please log in to reply
35 replies to this topic

#1 friedrichroehm

friedrichroehm

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 16 July 2009 - 09:16 PM

I just got the virus/trojan attack that starts with a popup similar to "Your computer has downloaded spyware!" and starts a fake spyware scan with a yellow/gray shield icon and replacing cpu background with a big blue and red spyware warning. McAfee and other programs started erroring so I just power button shut down the computer and tried a bunch of McAfee virus scans in regular and safe mode. Didn't remember or note all of the ones it would find except for it couldn't fix the C:\Windows\Fonts\Services.exe problem and I wasn't allowed to delete that file from my fonts folder. Also had McAfee popup warnings of Virtumonde and I believe McAfee & Spybot warnings of registry changes. Also a "Advertisement Services" in Add/Remove Programs that may have been related?? Kept trying to remove that program but kept getting errors and asked if I wanted to remove from the list until it did just Remove on the 6th or 7th attempt after each reboot. Kept mainly to starting in safe mode and about a minute after boot up McAfee shows protection problems that you can't just click the "Fix" button or it would say an error occured. I originally thought that may be an issue with safe mode but now I'm not so sure. I'd usually just go from that warning screen over to the full scan.

McAfee scans kept turning up trojans, sometimes a handful and somtimes a lot, 269 I think was the last one. Adaware was working but the last scan out of that didn't find anything so stopped scanning with that. Also Spybot was unable to open in regular or safe mode. Downloaded MalwareBytes and SuperAntiSpyware on my other computer and thumb drived them over, but couldn't get those to execute when I tried. Tried renaming and also switching those install files to .com but my computer seems to be getting worse.

Performed yet another McAfee scan that I'm pretty sure was the only one to not have any items left over afterward that hadn't been quarantined or fixed. (the 269) Was hoping that was a good sign and might be able to install the MalwareBytes and SuperAnti but now it tells me I can't execute any of my .exe files without getting the "what program would you like to open this file with" window. McAfee still starts at startup but now is erroring very early in scans on Can't Find File errors which I'm now getting anytime I try any control panel program, etc. Would check Add/Remove programs but it Can't Find File.

Tried finding a fix for that, but couldn't get into regedit through the command prompt as well anymore either. Tried to see if I could open SafeMode w/ Command Prompt and that did seem to get me into Regedit fine, but the "%1" %* info I was supposed to replace in HKEY_CLASSES_ROOT\exefile\shell\open\command was already in there and had no effect, so not sure what the next step is???

BC AdBot (Login to Remove)

 


m

#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:03:07 AM

Posted 17 July 2009 - 01:09 PM

Try thumb driving this over...

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 friedrichroehm

friedrichroehm
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 17 July 2009 - 05:02 PM

Moved that file over and tried to open in both safe and regular mode and that .exe file also won't execute with the same "Which Program would you like to open the file with" chooser window.

#4 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:03:07 AM

Posted 17 July 2009 - 06:10 PM

Try renaming SmitfraudFix.exe to winlogin.exe See if that will work.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 friedrichroehm

friedrichroehm
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 17 July 2009 - 06:21 PM

Tried that a couple times upon reboots, but it's still kicking me to the "Open With" chooser.

#6 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:03:07 AM

Posted 17 July 2009 - 07:39 PM

Okay - Let's proceed straight to the HJT forum.

Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 friedrichroehm

friedrichroehm
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 17 July 2009 - 09:01 PM

tried opening that ddr.scr file I moved over a few times in regular and safe mode, but that's getting sent to the "Open With" chooser as well under the filename cmd.exe

Getting a lot of C:\Windows\system32\mszhdx.exe not found errors on startup (often but now always). I couldn't double click my Windows Explorer desktop shortcut without a cannot find Explorer.exe, but the right click start - explore brings open a navigator. The machine really took a big step backward after that last McAfee scan and reboot after. (not sure if there's any direct link though??)

#8 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:03:07 AM

Posted 17 July 2009 - 10:00 PM

I am going to ask a HJT team member to join us with this topic.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:03:07 AM

Posted 17 July 2009 - 10:03 PM

Can you post the McAfee log?

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#10 friedrichroehm

friedrichroehm
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 18 July 2009 - 05:28 PM

Looked in McAfee Security Center for full Scan Log files and through program folders but didn't find anything that had full scan histories.

The View Recent Events Tab has a View Log button that doesn't do anything when I click it??

View Recent Events

7/15/2009 12:54:42 PM SystemGuards have allowed future changes to your computer (describ...
7/15/2009 12:54:35 PM SystemGuards have blocked future changes to your computer (describ...
7/15/2009 12:54:00 PM SystemGuards have blocked a one-time change to your computer.

those 3 entries had basically the same info window of:
Rule Type: Registry
Process: C:\WINDOWS\Fonts\services.exe
Process version: 1.00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\exec

I was surprised to see the last "allowed future changes" entry after thinking I had tried to block everything that I could, but I could've clicked allow mistakenly back then I suppose. So I clicked on the Block button for that last allow entry (which hopefully doesn't mess anything up??) and ran a new scan to try to get some new log info. (I had backed off my repeated McAfee scans after .exe errors started occuring early into them)

At first it looked like it was only finding 2 instances of PRCviewer associated with that Smitfraudfix.exe/winlogin.exe file, 1 entry with Possible Unwanted Program and another with NTOSKRNL-HOOK trojan with it, as well as a 3rd file it was showing as fixed. I removed that Smitfraudfix.exe for now and rescanned a couple more times to get a new Scan Log straight from the McAfee scan results (still getting the occasional .exe error early in scans - mcods.exe application error - the memory could not be "read", and still have no opening abilities with all the other .exe files)

But the last couple scans are now showing just
NTOSKRNL-HOOK
as 1 Item Detected and 1 Item Fixed, but it returns everytime I rescan.

#11 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:03:07 AM

Posted 18 July 2009 - 07:58 PM

If you cannot get DDS to work, please try this instead.

Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Save the log file to your desktop and copy/paste the contents into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.
If RSIT did not work, then reply back here.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#12 friedrichroehm

friedrichroehm
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 18 July 2009 - 08:06 PM

I can't do anything with any .exe right now. Is this one supposed to behave differently?

#13 friedrichroehm

friedrichroehm
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 18 July 2009 - 08:21 PM

Memory stick'd that one over and tried without internet before attempting while connected but that one goes to the Open With what program chooser as well.

#14 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:03:07 AM

Posted 18 July 2009 - 08:53 PM

Let's try to fix file associations

Restore default association for EXE files Transfer those over and extract the files.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#15 friedrichroehm

friedrichroehm
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 19 July 2009 - 10:41 AM

That file association did seem to bring back some functionality, right afterward I tested on the DDS I still had on my desktop and now it performed the scan and produced a log. Should I go ahead and post that in the HJT forum or were there any additional steps like the Smitfraudfix or other scan soft installation I should try before that at all? I just stopped and shut her down once I made it that far.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users