Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I just got infected big time, my PC hijacked? Help please


  • This topic is locked This topic is locked
22 replies to this topic

#1 wtfer

wtfer

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 05 August 2009 - 09:55 PM

I was web browsing & clicked on a site with the latest firefox browser on & all of a sudden my PC started going crazy.
I tried to access my task manger to see if any new process appeared & yup, several.
I tried to shut them down, but my PC rebooted itself before I could!

As my PC rebooted, a completely new desktop background replaced my default one & a spware program that I never saw before automatically starts up when the PC boots up.

Here is the spyware that starts up when I restart my PC:
Posted Image

It lasts for only a few seconds as a pop-up in my toolbar appears telling me I'm affected.
Posted Image

As you can see, my desktop wallpaper has been hijacked by that advertisement telling me I need their spyware protection.

When I opened up my task manager, I noticed several new processes, I was only able to end two of them (a.exe & c.exe) before my PC rebooted itself.
The new ones are here are b.exe & msa.exe
Posted Image

Also when I opened Internet Exploer I got the new .exe on the right hand side of the picture
hpswp_clipbook.exe & my IE window started to try & open & close several times before I finally ended that process.

I have been so out of touch with cleaning my PC because I usually am careful, but I messed up today.
I only have outdated versions of spybot & ad-aware SE.

This is what as-aware found:
Posted Image

That did nothing to get rid of new desktop wallpaper & spyware program that boot on startup.


I downloaded the latest hijackthis program, but what else do I need to fully clean my PC of this hijacking?

BC AdBot (Login to Remove)

 


#2 ComputerNutjob

ComputerNutjob

  • Banned
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 PM

Posted 05 August 2009 - 10:10 PM

I recommend BCs removal guide, found here: http://www.bleepingcomputer.com/virus-remo...system-security

If that doesn't work (Which it should), please wait for assistance from one of the many BC Advisors.

Surf Safe!

ComputerNutjob


EDIT: Or follow boopme's instructions.

Edited by ComputerNutjob, 05 August 2009 - 10:28 PM.


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:11 AM

Posted 05 August 2009 - 10:26 PM

Hello and welcome.
Please download and install a Microsoft's Process Explorer ,save it to your desktop.
Right click on the icon and select Rename. rename the icon fixer.
Now double click and run it. Agree to the next few prompts. The Process Explorer window should now be up.

In the left pane,scroll till you see a small shield icon with a series of random numbers (something like 45621952.exe). This is what we have to stop.
Left click that file to highlight it.
Now kill that process. Click on the "X" at the top (under the word Find or Users to the left of the binoculars)
In the confirmation box that appears click the Yes button to kill the process.


Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Edited by boopme, 05 August 2009 - 10:47 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:11 AM

Posted 05 August 2009 - 11:54 PM

Topic reopened and HiJack This topic deleted.

@ wtfer,

Please follow boopme's instruction in the previous post.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 wtfer

wtfer
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 06 August 2009 - 11:32 AM

Hey everybody thanks for the help, MalwareBytes found over 50 infections, but I seem to still have a problem. When I use google & open a link through a tab, the site is redirected to a spam site.
I even tried to access www.bleepingcomputer.com through a google search link & it opened some random spam site offer.
Firefox also seems to have a hard time ending when I close the browser window, the firefox.exe is still running in my task manager. I have to kill it through there to close my browser.
EDIT HELP!!!!!!! A NEW VIRUS CAN IS NOW popping up non stop & I can't close it. HELP
Posted Image



Hello and welcome.
Please download and install a Microsoft's Process Explorer ,save it to your desktop.
Right click on the icon and select Rename. rename the icon fixer.
Now double click and run it. Agree to the next few prompts. The Process Explorer window should now be up.

In the left pane,scroll till you see a small shield icon with a series of random numbers (something like 45621952.exe). This is what we have to stop.
Left click that file to highlight it.
Now kill that process. Click on the "X" at the top (under the word Find or Users to the left of the binoculars)
In the confirmation box that appears click the Yes button to kill the process.


If it matters, I did not see the shield icon, I might have either killed it by going to the task manager or my firewall disabled it after it starts up & runs only for a few seconds.


Next run MBAM (MalwareBytes):

[*]When removal is completed, a log report will open in Notepad.
[*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
[*]Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.




Here is my log from, I did a full system scan, this is not reporting the new virus that is popping up non-stop:

Malwarebytes' Anti-Malware 1.40
Database version: 2568
Windows 5.1.2600 Service Pack 3

8/5/2009 9:43:24 PM
mbam-log-2009-08-05 (21-43-13).txt

Scan type: Full Scan (C:\|)
Objects scanned: 198509
Time elapsed: 43 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 34
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 27

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\gnucdna.core (Adware.WhenUSave) -> No action taken.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{0be385a3-85a5-4722-b677-68dae891ff21} (Adware.WhenUSave) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{272c0d60-0561-4c83-b3db-eb0a71f9d2eb} (Adware.WhenUSave) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{284477e4-a7cb-4055-9e1b-0ea7cba28945} (Adware.WhenUSave) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{70ca4938-6a0f-4641-a9a9-c936e4c1e7de} (Adware.WhenUSave) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{7468213e-010e-4ec6-a17d-642e909ba7ec} (Adware.WhenUSave) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{89dc33a2-f86f-42a1-8b5f-d4d1943efc9c} (Adware.WhenUSave) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{a916af3c-976d-4358-8736-95bea0b5fd2c} (Adware.WhenUSave) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{b86f4810-19a9-4050-9ac9-b5cf60b5799a} (Adware.WhenUSave) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{bb5b7e14-f8b4-4365-a24d-f4965c33e1ee} (Adware.WhenUSave) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{be45f056-e005-437b-be88-23acf70b0b6a} (Adware.WhenUSave) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{c13d4627-02f5-4b03-897a-bf6a90022dd2} (Adware.WhenUSave) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{c636f1fc-6ae4-4e6a-90ab-6d61d821a0dd} (Adware.WhenUSave) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{cb971ac0-6408-40da-a540-92f9f256f51f} (Adware.WhenUSave) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{d5694dfe-43b6-4e05-aa29-8c556c968973} (Adware.WhenUSave) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{e2032ec2-a9ac-4ed7-9bdb-ebecacf076f2} (Adware.WhenUSave) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{ebab4a71-8c34-461a-b57d-dd041d439555} (Adware.WhenUSave) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{f06fea43-0cc3-4bf6-a85b-5efb1c07aa4b} (Adware.WhenUSave) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{fc94a0f7-9c7c-4ae2-9106-5c212332b209} (Adware.WhenUSave) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\netcard (Rootkit.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18842504 (Rogue.Multiple.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msxmlhpr (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monopod (Trojan.FakeAlert) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\18842504 (Rogue.Multiple.H) -> No action taken.

Files Infected:
C:\Documents and Settings\All Users\Application Data\18842504\18842504 (Rogue.Multiple.H) -> No action taken.
C:\Documents and Settings\All Users\Application Data\18842504\18842504.exe (Rogue.Multiple.H) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\b.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\a.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\ancrsomexw.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\c.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\db.exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\nsbisey2c44.exe (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\nsbisey2c45.exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\nsbisey2c46.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\ownrxsemac.tmp (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\sacnrwmoex.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\serr.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\UAC7183.tmp (Trojan.TDSS) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\UAC7210.tmp (Trojan.TDSS) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\UAC998d.tmp (Trojan.TDSS) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2VPHA5PT\setup[1] (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W3R5PO6Y\winres[1] (Trojan.Downloader) -> No action taken.
C:\WINDOWS\msa.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\msxm192z.dll (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\UACgetfxtqljfocpsjoe.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\drivers\UACkgalkkrohwrxknugj.sys (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\netcard.sys (Rootkit.Agent) -> No action taken.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> No action taken.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> No action taken.

_______________________________________________________________________
EDIT yeah the new virus is really messing me up, it won't let me open up ms paint, won't let me open my add & remove option in my control panel & won't let me open my browsers, I had to restart my PC for it to work before it started non-stop
Posted Image

I may have to use another way to revisit this site to see any replies as I don't know if I could from this PC again.[/b]

Edited by wtfer, 06 August 2009 - 11:44 AM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:11 AM

Posted 06 August 2009 - 12:15 PM

Ok disconnect from the internet as much as possible..
In the left pane,scroll till you see a small shield icon says Windows A. This is what we have to stop.
Left click that file to highlight it.
Now kill that process. Click on the "X" at the top (under the word Find or Users to the left of the binoculars)
In the confirmation box that appears click the Yes button to kill the process.


Did you click on "Remove selected" and then reboot after that scan?
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Also I must give you this advice
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 wtfer

wtfer
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 06 August 2009 - 05:07 PM

Oh God, I'm going to disconnect but need a few answers.
When I turn disconnect icon from fixer.exe, it immediately pops back up.
I also reran MBAM before this & got a clean scan, then all of a sudden my PC just rebooted out of nowhere (I did not visit any links) & I got this massive infection.

MBAM did not stop this the first time, also this picture I took of the rouge .exe is located in
Is there any other software I can download to stop this?

Program Files/ Windows Antivirus Pro.exe

Should I delete that, or will that mess me up even more?


God, I hope my bank account isn't wiped out when I go tomorrow.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:11 AM

Posted 06 August 2009 - 07:30 PM

Hello, yes you can delete that

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop:
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all six boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 wtfer

wtfer
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 06 August 2009 - 08:02 PM

Thanks I'll try that now. BTW I re-ran MBAM & got 56 new infections. That is just from a day ago when I cleaned everything up with MBAM & visited no unsafe sites.

EDIT:

When I run RootRepeal, it has two pop ups that tell me:
Could Not Read the Boot Sector. Try Adjusting the Disk Access level in the Options dialog


Could not load out kernel! Please contact the author!

Is this a problem on my part?

Edited by wtfer, 06 August 2009 - 08:12 PM.


#10 wtfer

wtfer
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 06 August 2009 - 09:04 PM

When I downloaded RootPepeal, it didn't give me an option for a Report tab.
I just hit the scan button, here is the log it gave me:

EDIT scratch that, I found what you were taking about, but when I select all those & hit Scan, it crashes the program & I get no save file



Also this is my save log from my 2nd MBAM scan:
Malwarebytes' Anti-Malware 1.40
Database version: 2568
Windows 5.1.2600 Service Pack 3

8/6/2009 3:56:13 PM
mbam-log-2009-08-06 (15-56-07).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 198540
Time elapsed: 44 minute(s), 50 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 3
Files Infected: 41

Memory Processes Infected:
C:\WINDOWS\svchast.exe (Trojan.Dropper) -> No action taken.
C:\Program Files\Windows Antivirus Pro\Windows Antivirus Pro.exe (Rogue.WindowsAntivirus) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\antippro2009_12 (Trojan.Dropper) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\antippro2009_12 (Trojan.Dropper) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\antippro2009_12 (Trojan.Dropper) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f54af7de-6038-4026-8433-cc30e3f17212} (Rogue.ASC-AntiSpyware) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f54af7de-6038-4026-8433-cc30e3f17212} (Rogue.ASC-AntiSpyware) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f54af7de-6038-4026-8433-cc30e3f17212} (Rogue.ASC-AntiSpyware) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ANTIPPRO2009_12 (Trojan.FakeAlert) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\WINDOWS\system32\desot.exe "%1" %*) Good: ("%1" %*) -> No action taken.

Folders Infected:
C:\Program Files\Windows AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images (Rogue.WindowsAntiVirusPro) -> No action taken.

Files Infected:
C:\WINDOWS\svchast.exe (Trojan.Dropper) -> No action taken.
C:\WINDOWS\system32\dddesot.dll (Rogue.ASC-AntiSpyware) -> No action taken.
C:\Program Files\Windows Antivirus Pro\Windows Antivirus Pro.exe (Rogue.WindowsAntivirus) -> No action taken.
C:\Program Files\Windows Antivirus Pro\tmp\dbsinit.exe (Trojan.Dropper) -> No action taken.
C:\WINDOWS\system32\desot.exe (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\msvcm80.dll (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\msvcp80.dll (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\msvcr80.dll (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\wispex.html (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\i1.gif (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\i2.gif (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\i3.gif (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\j1.gif (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\j2.gif (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\j3.gif (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\jj1.gif (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\jj2.gif (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\jj3.gif (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\l1.gif (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\l2.gif (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\l3.gif (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\pix.gif (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\t1.gif (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\t2.gif (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\up1.gif (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\up2.gif (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w1.gif (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w11.gif (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w2.gif (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w3.gif (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w3.jpg (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\wt1.gif (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\wt2.gif (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\Program Files\Windows AntiVirus Pro\tmp\images\wt3.gif (Rogue.WindowsAntiVirusPro) -> No action taken.
C:\WINDOWS\system32\bennuar.old (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\sysnet.dat (Malware.Trace) -> No action taken.
C:\WINDOWS\ppp3.dat (Malware.Trace) -> No action taken.
C:\WINDOWS\ppp4.dat (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\onhelp.htm (Rogue.Trace) -> No action taken.
C:\WINDOWS\system32\wispex.html (Malware.Trace) -> No action taken.

I'm also getting the random spam sites if I click through any legit link again. Seems MBAM did not fully clean it up.

Edited by boopme, 06 August 2009 - 09:11 PM.


#11 wtfer

wtfer
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 06 August 2009 - 09:13 PM

I noticed when I scan for just the files it brings up a long list, but two of them have this under status:
Volume C:\ MBR Rootkit detected
Volume D:\ MBR Rootkit detected
The are listed under the status as "Sector Mismatch" & "Visible to Windows API, but not on disk".

quick edit:

Also when I scan just the Drivers, under the list where it states if the file is visible, there are 3 that say no:
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF4D76000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A87000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF00B9000 Size: 49152 File Visible: No Signed: -
Status: -

Doe they mean anything?

Edited by boopme, 06 August 2009 - 09:49 PM.


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:11 AM

Posted 06 August 2009 - 09:16 PM

EDIT: looks lik we were posting at the same time ... So do this first.

Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.



Some times Removal takes several scans,tools and reruns..
Ok are you cliking the Remove Selected button after the scans? Need to check as I see a No Action taken in the logs.
~
~
Rerun RootRepeal
Click Settings - Options
Set the Disk Access Level slider in the general tab to High

Try scanning now with the settings as described above.

~
~
Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Edited by boopme, 06 August 2009 - 09:51 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 wtfer

wtfer
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 07 August 2009 - 12:04 AM

EDIT: looks lik we were posting at the same time ... So do this first.

Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).[list]
[*]Go to Start > Run and type: cmd.exe
[*]press Ok.
[*]At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
[*]press Enter.
[*]The process is automatic...a black DOS window will open and quickly disappear. This is normal.
[*]A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
[*]Copy and paste the results of the mbr.log in your next reply.


This is what the mbr.log gave me:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR 
kernel: MBR read successfully
BIOS signateure not found



Some times Removal takes several scans,tools and reruns..
Ok are you cliking the Remove Selected button after the scans? Need to check as I see a No Action taken in the logs.
~
~
Rerun RootRepeal
Click Settings - Options
Set the Disk Access Level slider in the general tab to High

Try scanning now with the settings as described above.


I don't see the Remove Selected button, here is a picture of what it looks like when I try scanning the files section only & I can right click on the one on top:
Posted Image

I also set the Disk Access Level slider to High, it was set to Low by default.


Also the picture for Checking all six boxes has changed, it shows me this:
Posted Image
Something about the instructions being outdated


I feel I am close, but I can only visit this site, other wise I feel I will get that mountain of Trojans again going anywhere else.

BTW Thank you very much for helping boopme, I am very appreciative for all this. I would donate if the site has a contribution page after this is all over. I actually checked my Bank card & it did not show any new activity for the past two days, so I dodged a bullet on that.

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:11 AM

Posted 07 August 2009 - 10:20 AM

Ok , yes the banking looks good. I'm sorry I wasn't clear.. Remove Selected is in Malwarebytes.

Run Sophos ARK
Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 wtfer

wtfer
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 07 August 2009 - 09:29 PM

Ok , yes the banking looks good. I'm sorry I wasn't clear.. Remove Selected is in Malwarebytes.

Run Sophos ARK
Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.


Ouch, I think I might need a bit more help on this, I followed the instructions by the letter, but the results after 53 minutes of scanning was 9502 Hidden Items that Spophos Anti-Tootkit found!
Thing is that only about a dozen of the were from my C:\ drive, the rest of them were all in my D:\ which is my HP Recovery Drive. It contains 4 GB of data & when I try to enter any folder, a pop up tells me "access denied".

Here are all the files that were found in the C:\ drive:
Posted Image

All of them were unknown & none of them were recommended for clean up. Same for the rest as I didn't check all 9,000+ items that were flagged in the D: drive, but scrolling through quite a few of them, they all said the same, Unknown: not recommended for clean up.

Is it safe to remove all the ones in the picture I put up or are any of them needed for my system to run normally? I didn't select anything after the scan.
Also can I delete all that stuff in my D:\ recovery drive? I never used anything in it since I bought my PC years ago. If anything is deleted there, I wouldn't miss it, unless it has to do with the stability of my system or PC. Anyone know?


I been stuck with these Trojans for 3 days now, & I haven't used my PC for anything other than going online to visit this page lol.

Thanks again.

EDIT:
Hey I just googled each of these separately:
ytasfwpucrjiks.dll
ytasfwfkdibcgncr.tmp
ytasfweecblcvn.dat
ytasfwemoyxtlr.sys
ytasfwbwfwrgsk.dll
ytasfwlltlyioy.dat
ytasfwmqfwxwbw

& got no results at all, does that mean they are the Trojans & it's ok to delete them?

Edited by wtfer, 08 August 2009 - 04:03 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users