Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Installer Virus [Moved]


  • Please log in to reply
13 replies to this topic

#1 pscmed

pscmed

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 24 July 2009 - 04:16 PM

I have ran ad-aware, spybot, and AVG. They all said they removed the trojan but upon restart it returns. I tried running malwarebytes but the program will not start. I have installed Hijackthis on the computer and just ran the Comedian program. The computer finished all the steps but would not create a registry restore point. I can runt and post the log if you want from hijack this. Any help is appreciated.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,012 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:16 AM

Posted 24 July 2009 - 05:34 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:16 PM

Posted 24 July 2009 - 05:39 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



let's try Fatdcuk's fix.

Please navigate to the MBAM folder located in the Program Files directory.

Locate MBAM.exe and rename it to winlogon.exe

Once renamed double click on the file to open MBAM and select Quick Scan

At the end of the scan click Remove Selected and then reboot.


Post the scan log. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Computer Pro

#4 pscmed

pscmed
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 24 July 2009 - 07:08 PM

Even after renaming the file to winlogon.exe, i am unable to open the file. Any suggestions?

#5 pscmed

pscmed
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 24 July 2009 - 07:49 PM

After several reboots i was able to run it. Here is the log:
Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/24/2009 7:47:54 PM
mbam-log-2009-07-24 (19-47-54).txt

Scan type: Quick Scan
Objects scanned: 93286
Time elapsed: 9 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\my downloads\SpyWareNukerInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\documents and settings\philip campbell\local settings\Temp\rasvsnet.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\8B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\model.dat (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\silc_dll.dll (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LDPackage.dll (Spyware.MarketScore) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\EGCOMSERVICE_pack.inf (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\nethv32.inf (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:16 AM

Posted 24 July 2009 - 08:01 PM

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Chewy

No. Try not. Do... or do not. There is no try.

#7 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:16 PM

Posted 24 July 2009 - 08:10 PM

Also:

IMPORTANT NOTE: uacinit.dll is related to a nasty variant of the TDSSSERV rootkit component. Rootkits, backdoor Trojans, Botnets, and IRC Bots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker.


If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

How Do I Handle Possible Identity Theft, Internet Fraud, and CC Fraud?

Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS please read this for more info:

When Should I Format, How Should I Reinstall


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards or that the removal will be successful. Let me know what you decide to do.
Computer Pro

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:16 AM

Posted 24 July 2009 - 08:35 PM

That brings up a complicated question, exactly what is the purpose of these infections?

Sometimes the rootkit /backdoor is just trying to protect a rogue where you are scammed into buying some removal package, but then there's often components included for stealing your personal financial information.
Chewy

No. Try not. Do... or do not. There is no try.

#9 pscmed

pscmed
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 25 July 2009 - 03:52 PM

Launchpad Removal.exe;C:\Documents and Settings\Philip Campbell\Application Data\U3\temp;Probably Trojan.Packed.189;Deleted.;
iTunesSetup.exe/iTunes.msi/stream001\iTunes.exe;C:\Documents and Settings\Philip Campbell\My Documents\My Downloads\iTunesSetup.exe/iTunes.msi/stream001;Probably Trojan.Packed.189;;
stream001;C:\Documents and Settings\Philip Campbell\My Documents\My Downloads;Archive contains infected objects;;
iTunes.msi;C:\Documents and Settings\Philip Campbell\My Documents\My Downloads;Archive contains infected objects;;
iTunesSetup.exe;C:\Documents and Settings\Philip Campbell\My Documents\My Downloads;Archive contains infected objects;Moved.;
RealBar.dll;C:\Program Files\Common Files\Real\Toolbar;Adware.MegaSearch;Deleted.;
ppctl.dll;C:\Program Files\Common Files\Scanner;Probably DLOADER.Trojan;Deleted.;
A0103337.exe;C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP434;Probably Trojan.Packed.189;Deleted.;
popcaploader.dll;C:\WINDOWS\Downloaded Program Files;Program.PopcapLoader;Deleted.;
UACkjakyckxncjwvxfjr.dll;C:\WINDOWS\system32;BackDoor.Tdss.49;Deleted.;
UACkqoyxmsqibdltuhtl.dll;C:\WINDOWS\system32;Trojan.Packed.365;Incurable.Moved.;

So from reading the previous post, would a complete format with the computer disk clean the virus?

I don't know if i should continue to try to clean the computer or try and wipe it?

#10 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:16 PM

Posted 25 July 2009 - 03:58 PM

Reformatting would be the best known way to get the 'backdoor' out. But it can also be cleaned, but there is always a possibility that the backdoor is still in your system. Its your choice
Computer Pro

#11 pscmed

pscmed
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 25 July 2009 - 04:07 PM

What is the next step?

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:16 AM

Posted 25 July 2009 - 04:12 PM

Let's look for rootkits

http://rootrepeal.googlepages.com/

http://rootrepeal.googlepages.com/RootRepeal.zip

Just use the file tab at the bottom, scan and paste the report into a reply here please

Posted Image
Chewy

No. Try not. Do... or do not. There is no try.

#13 pscmed

pscmed
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 26 July 2009 - 07:49 PM

I decided to reformat the computer. Thanks for al of your help.

#14 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:16 PM

Posted 26 July 2009 - 08:53 PM

Your welcome
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users