Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem w/ Win32 Renos Trojan


  • This topic is locked This topic is locked
19 replies to this topic

#1 aye

aye

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 20 July 2009 - 08:03 PM

How I got the virus

I tried downloading Ipod repair software and I obtained the win32 renos trojan this way (I'm 99% sure).

What I've done so far

After getting the trojan, I got a pop-up from Windows Defender to remove it. I clicked remove, but soon enough it would reappear yet again. I tried opening Mozilla Firefox or Internet Explorer, but both of them would only open for a split second before closing.

I then ran Malwarebytes' Anti-Malware, and it found multiple infected files. I checked off all the boxes and removed all of them. I tried opening Firefox and IE again, but it would still close after opening for a split second.

After doing this I ran a Windows Defender scan, and tried the Symantec W32 Downadup Removal Tool. The Windows Defender scan found no viruses or trojans, and the Symantec tool found multiple infected files which I chose to remove. Still, I couldn't get Firefox or IE to work.

Lastly, I tried installing SUPER Anti Spyware, but it would crash during the installation phase, and bring me to a blue screen.

Problems

Internet works fine on my other computers connected to a main network, but the Firefox and IE on the infected computer closes after a split second of opening. I'm sure the win32 renos trojan is causing this, as Firefox and IE works fine when I boot up the computer on Safe Mode.

SUPER Anti Spyware crashes during installation.

Information about my computer

I am running Windows Vista Home Edition on a Dell Dimension DIME521.



Please let me know if more information is needed, and how I should proceed from here.

Also, thank you VERY much to anyone in advance who can help. Any help would be appreciated. :thumbsup:

-Adrian

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:27 AM

Posted 20 July 2009 - 09:12 PM

Hello and welcome..
Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Next please run part 1 of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:12:27 AM

Posted 20 July 2009 - 09:12 PM

I see boopme is going to answer but I'll add this
NOTE: If you get a blue screen type crash or any other crash of SUPERAntiSpyware when trying to run the scan then after a reboot, configure the below options and rescan

* Run SuperAntiSpyware
o In SUPERAntiSpyware under Configuration and Preferences, click the Preferences button.
o Click the Scanning Control tab.
o Under Scanner Options uncheck the below two options
+ Use Kernel Direct File Access (recommended)
+ Use Kernel Direct Registry Access (recommended) o Then try doing a new Complete scan.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 aye

aye
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 20 July 2009 - 10:13 PM

First off, thanks for the quick reply boopme and garmanma!

Here is the scan log for the MBAM scan:

Malwarebytes' Anti-Malware 1.39
Database version: 2468
Windows 6.0.6000

7/20/2009 7:56:17 PM
mbam-log-2009-07-20 (19-56-17).txt

Scan type: Quick Scan
Objects scanned: 81842
Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





As for the SmitFraudFix, I wasn't able to run it with Windows normal mode. Even when I renamed the file, access would be denied (I'm guessing by the trojan?). I then re-booted my computer in safe mode and the SmitFraudFix worked. This is what the scan log gave me:

SmitFraudFix v2.423

Scan done at 20:05:56.11, Mon 07/20/2009
Run from C:\Users\Adrian\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6000] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

遙遙遙遙遙遙遙遙遙遙遙遙 Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\helppane.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\wbem\wmiprvse.exe

遙遙遙遙遙遙遙遙遙遙遙遙 hosts


遙遙遙遙遙遙遙遙遙遙遙遙 C:\


遙遙遙遙遙遙遙遙遙遙遙遙 C:\Windows


遙遙遙遙遙遙遙遙遙遙遙遙 C:\Windows\system


遙遙遙遙遙遙遙遙遙遙遙遙 C:\Windows\Web


遙遙遙遙遙遙遙遙遙遙遙遙 C:\Windows\system32


遙遙遙遙遙遙遙遙遙遙遙遙 C:\Windows\system32\LogFiles


遙遙遙遙遙遙遙遙遙遙遙遙 C:\Users\Adrian


遙遙遙遙遙遙遙遙遙遙遙遙 C:\Users\Adrian\AppData\Local\Temp


遙遙遙遙遙遙遙遙遙遙遙遙 C:\Users\Adrian\Application Data


遙遙遙遙遙遙遙遙遙遙遙遙 Start Menu


遙遙遙遙遙遙遙遙遙遙遙遙 C:\Users\Adrian\FAVORI~1


遙遙遙遙遙遙遙遙遙遙遙遙 Desktop


遙遙遙遙遙遙遙遙遙遙遙遙 C:\Program Files


遙遙遙遙遙遙遙遙遙遙遙遙 Corrupted keys


遙遙遙遙遙遙遙遙遙遙遙遙 Desktop Components



遙遙遙遙遙遙遙遙遙遙遙遙 o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



遙遙遙遙遙遙遙遙遙遙遙遙 IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



遙遙遙遙遙遙遙遙遙遙遙遙 Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


遙遙遙遙遙遙遙遙遙遙遙遙 VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


遙遙遙遙遙遙遙遙遙遙遙遙 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


遙遙遙遙遙遙遙遙遙遙遙遙 Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


遙遙遙遙遙遙遙遙遙遙遙遙 AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


遙遙遙遙遙遙遙遙遙遙遙遙 Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

遙遙遙遙遙遙遙遙遙遙遙遙 RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]




遙遙遙遙遙遙遙遙遙遙遙遙 DNS



遙遙遙遙遙遙遙遙遙遙遙遙 Scanning for wininet.dll infection


遙遙遙遙遙遙遙遙遙遙遙遙 End

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:27 AM

Posted 20 July 2009 - 10:34 PM

OK there is definately something wrong with that Smit log..
perhaps we should now run SuperAntiSpyware
Also it may now be useful top see a past Mabam log that was infected. To see what was found earlier.

Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 aye

aye
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 21 July 2009 - 04:58 AM

Here is the past Mabam log where it found the infected file:

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 6.0.6000

7/20/2009 2:39:24 AM
mbam-log-2009-07-20 (02-39-24).txt

Scan type: Full Scan (C:\|)
Objects scanned: 241747
Time elapsed: 39 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 12
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.166,85.255.112.67 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{48dae7a9-c6bf-4600-bf01-4397ec2d12bc}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.166,85.255.112.67 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{48dae7a9-c6bf-4600-bf01-4397ec2d12bc}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.166,85.255.112.67 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{99f9ba21-bef3-4a52-b803-7a83ec70b144}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.166,85.255.112.67 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.166,85.255.112.67 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{48dae7a9-c6bf-4600-bf01-4397ec2d12bc}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.166,85.255.112.67 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{48dae7a9-c6bf-4600-bf01-4397ec2d12bc}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.166,85.255.112.67 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{99f9ba21-bef3-4a52-b803-7a83ec70b144}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.166,85.255.112.67 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.166,85.255.112.67 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{48dae7a9-c6bf-4600-bf01-4397ec2d12bc}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.166,85.255.112.67 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{48dae7a9-c6bf-4600-bf01-4397ec2d12bc}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.166,85.255.112.67 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{99f9ba21-bef3-4a52-b803-7a83ec70b144}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.166,85.255.112.67 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.





I then downloaded ATF Cleaner, and SUPERAntiSpyware. Surprisingly, I didn't have trouble installing SUPERAntiSpyware, but when I try opening the program by clicking the icon, or from Program Files, the computer crashes and shows me a blue screen. When I try right-clicking the application and changing the file name from program files or from the desktop, it also results in a blue screen crash.

So at the moment I have only completed the part with ATF Cleaner. Please let me know if there is a way around this to get SUPERAntiSpyware working, or if I should try a different program possibly.

Thanks again for your time!

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:27 AM

Posted 21 July 2009 - 10:55 AM

If SUPERAntiSpyware will not run when you your PC starts or when you double-click the program shortcut, you may have a class of infection that specifically targets SUPERAntiSpyware and prevents it from running.
USE this link.

http://downloads.superantispyware.com/downloads/SAS_FREE.EXE

Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 aye

aye
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 22 July 2009 - 02:16 AM

Hi, I uninstalled SUPERAntiSpyware and tried installing it again with the file in your link, but my computer crashed at the end of the installation phase. After 3 times of crashing near the end of installation, I was finally able to install SUPERAntiSpyware. I then tried running the program by clicking the icon, but it would be closed down instantly, with a pop-up from windows saying that SUPERAntiSpyware has stopped working. I tried re-naming the file and starting it again but the same thing would happen.

Later I tried opening SUPERAntiSpyware from safe mode, and it worked with the re-named file. Here is the scan log for SUPERAntiSpyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/21/2009 at 08:08 PM

Application Version : 4.26.1006

Core Rules Database Version : 4010
Trace Rules Database Version: 1950

Scan type : Complete Scan
Total Scan Time : 01:27:15

Memory items scanned : 324
Memory threats detected : 0
Registry items scanned : 6709
Registry threats detected : 0
File items scanned : 143471
File threats detected : 21

Adware.Tracking Cookie
C:\Users\Adrian\AppData\Roaming\Microsoft\Windows\Cookies\Low\adrian@ad.lookery[2].txt
C:\Users\Adrian\AppData\Roaming\Microsoft\Windows\Cookies\Low\adrian@adcentriconline[2].txt
C:\Users\Adrian\AppData\Roaming\Microsoft\Windows\Cookies\Low\adrian@adinsert.buddymedia[1].txt
C:\Users\Adrian\AppData\Roaming\Microsoft\Windows\Cookies\Low\adrian@adinterax[2].txt
C:\Users\Adrian\AppData\Roaming\Microsoft\Windows\Cookies\Low\adrian@ads.adsonar[2].txt
C:\Users\Adrian\AppData\Roaming\Microsoft\Windows\Cookies\Low\adrian@ads.cnn[1].txt
C:\Users\Adrian\AppData\Roaming\Microsoft\Windows\Cookies\Low\adrian@ads.lucidmedia[1].txt
C:\Users\Adrian\AppData\Roaming\Microsoft\Windows\Cookies\Low\adrian@ads.realtechnetwork[1].txt
C:\Users\Adrian\AppData\Roaming\Microsoft\Windows\Cookies\Low\adrian@ads.revsci[1].txt
C:\Users\Adrian\AppData\Roaming\Microsoft\Windows\Cookies\Low\adrian@ads.veoh[1].txt
C:\Users\Adrian\AppData\Roaming\Microsoft\Windows\Cookies\Low\adrian@ads.widgetbucks[1].txt
C:\Users\Adrian\AppData\Roaming\Microsoft\Windows\Cookies\Low\adrian@adultadworld[2].txt
C:\Users\Adrian\AppData\Roaming\Microsoft\Windows\Cookies\Low\adrian@anad.tacoda[1].txt
C:\Users\Adrian\AppData\Roaming\Microsoft\Windows\Cookies\Low\adrian@content.yieldmanager.edgesuite[2].txt
C:\Users\Adrian\AppData\Roaming\Microsoft\Windows\Cookies\Low\adrian@content.yieldmanager[1].txt
C:\Users\Adrian\AppData\Roaming\Microsoft\Windows\Cookies\Low\adrian@content.yieldmanager[3].txt
C:\Users\Adrian\AppData\Roaming\Microsoft\Windows\Cookies\Low\adrian@dynamic.media.adrevolver[2].txt
C:\Users\Adrian\AppData\Roaming\Microsoft\Windows\Cookies\Low\adrian@imrworldwide[2].txt
C:\Users\Adrian\AppData\Roaming\Microsoft\Windows\Cookies\Low\adrian@richmedia.yahoo[1].txt
C:\Users\Adrian\AppData\Roaming\Microsoft\Windows\Cookies\Low\adrian@socialmedia[2].txt
C:\Users\Adrian\AppData\Roaming\Microsoft\Windows\Cookies\Low\adrian@yieldmanager[1].txt


------------------------------------------------------------------------------------------------

Also, here is the MBAM scan log:

Malwarebytes' Anti-Malware 1.39
Database version: 2477
Windows 6.0.6000

7/22/2009 00:13:54
mbam-log-2009-07-22 (00-13-54).txt

Scan type: Quick Scan
Objects scanned: 82345
Time elapsed: 3 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:27 AM

Posted 22 July 2009 - 09:59 AM

Ok,if we don't want to go the HJT route. Then run Dr.Web

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 aye

aye
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 23 July 2009 - 02:09 AM

Hi, and thanks again for the quick reply! It is very much appreciated.

I tried running Dr.Web on safe mode, but no matter how many times I tried, my computer would crash when I tried running it. I then ran Dr.Web on normal mode with no problems. I ran the complete scan following your instructions, and multiple files were found, with some being sent to quarantine since they couldn't be removed (should I try deleting these files?). At the end of everything, I clicked save report list, and my computer crashed instantly, sending me to a blue screen.

I wasn't able to save the report list, but I found a CureIt notepad file in the DoctorWeb folder. At the end of the log was this:

-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Scanned: 784127
Infected: 1
Modifications: 0
Suspicious: 0
Adware: 0
Dialers: 0
Jokes: 0
Riskware: 0
Hacktools: 9
Cured: 0
Deleted: 1
Renamed: 0
Moved: 2
Ignored: 0
Scan speed: 122 Kb/s
Scan time: 07:16:33


Please let me know if I should post up the info in the CureIt notepad file. The reason I didn't do so now, is because the info listed is over 1000 pages.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:27 AM

Posted 23 July 2009 - 09:48 AM

Hello no thanks.. How is it running now? Can you please just rerun Pat 1 of SmitFraudFix and post the report.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 aye

aye
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 23 July 2009 - 02:59 PM

Hi, here is the log for the SmitfraudFix run in safe mode (doesn't work in normal mode):

SmitFraudFix v2.423

Scan done at 12:58:08.57, Thu 07/23/2009
Run from C:\Users\Adrian\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6000] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\wbem\wmiprvse.exe

hosts


C:\


C:\Windows


C:\Windows\system


C:\Windows\Web


C:\Windows\system32


C:\Windows\system32\LogFiles


C:\Users\Adrian


C:\Users\Adrian\AppData\Local\Temp


C:\Users\Adrian\Application Data


Start Menu


C:\Users\Adrian\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]




DNS

Description: D-Link Air DWL-122 Wireless USB Adapter
DNS Server Search Order: 64.59.144.92
DNS Server Search Order: 64.59.144.93



Scanning for wininet.dll infection


End

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:27 AM

Posted 23 July 2009 - 03:31 PM

OK, So how are the browsers now? Is it running normal?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 aye

aye
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 23 July 2009 - 04:20 PM

No, unfortunately the browsers (Firefox and IE) still close after a split second of opening them. However, when I run safe mode with networking I am able to access the internet on both browsers without apparent problems.

Even though MBAM doesn't find any infected files anymore, I think the virus/trojan is still active, because certain virus scan programs are still blocked in normal mode, and because I can't open any browsers in normal mode without them closing almost instantly. Also, my clock was set to the 12 hour system, but now it's been changed to the 24 hour system (don't know if this is related?).

Do you think the virus/trojan is causing these problems? Or could it be something unrelated?

Anyways, thanks again for your continued help! :thumbsup: Hopefully I can get my browsers working on normal mode.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:27 AM

Posted 23 July 2009 - 05:30 PM

Well it would seem most like that malware is the cause.. I git 3 more things, 2 now.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Now run RootRepeal
ROOTREPEAL

Next Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
Not this >>> SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users