Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

think it's Koobface from FB. please help


  • Please log in to reply
9 replies to this topic

#1 lauridyan

lauridyan

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 06 August 2009 - 04:43 PM

My son was on facebook and clicked on a link which prompted him to watch a video. It then prompted him to "update" something and now his computer is messed up. My problem is that it has blocked access to the internet...so I can't download any tools to help diagnose or remove. He can access his email...by using a gmail widget. Is there a way to email the programs like HJT?..or a way to disable/bypass the worm long enough to access sites?

Any help would be greatly appreciated!!!

Lauri


:thumbsup:

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:45 AM

Posted 06 August 2009 - 11:52 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 lauridyan

lauridyan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 07 August 2009 - 06:14 AM

I was able to install and run Malwarebytes from a disk after downloading it to another computer and copying it. It ran successfully and eliminated 11 items. Koobface was identified. Since we could then connect to the internet, I updated MBAM and re-ran a full scan and it found 5 more. I then rebooted in safe mode and ran a full scan again. This time, it didn't report any. I have now downloaded HJT and Combofix just in case I need them in the future. Is it possible to post a log to verify that I have gotten rid of all those nasty trojans and worms? My fear is that there is a lingering backdoor agent or something that will continue to infect this computer without our knowledge. Thanks for any assistance!!

:thumbsup:

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:45 AM

Posted 07 August 2009 - 06:35 AM

Hello lauridyan and :thumbsup: to BleepingComputer!

Firstly, please do not run Combofix unless specifically instructed to by a trained malware specialist. Combofix is an extremely powerful tool that can cause disastrous problems when used improperly. You don't even need to keep Combofix on your computer "just in case." The program is updated very frequently, so any time you are asked to use it you will be asked to download a new version. Please delete the copy you have downloaded.

In regards to your malware issues, I would be happy to assist you. :flowers: Please post both MBAM logs that found infections so that I may see what we're dealing with here.

~Blade

In your next reply, please include the following:
Two Malwarebytes logs

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 lauridyan

lauridyan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 07 August 2009 - 07:22 AM

Thank you so much for your help, Blade!

I will delete the combofix.

Here are the two logs from MBAM:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 6.0.6001 Service Pack 1

8/6/2009 8:16:41 PM
mbam-log-2009-08-06 (20-16-41).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 282996
Time elapsed: 3 hour(s), 14 minute(s), 21 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
C:\Windows\ld12.exe (Worm.KoobFace) -> Unloaded process successfully.

Memory Modules Infected:
c:\program files\browserctl\browserctl.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\browserctl (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\browserctl (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\browserctl (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gamevancetext.linker (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gamevancetext.linker.1 (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\browserctl\browserctl.dll (Trojan.Agent) -> Delete on reboot.
C:\Users\BRADEN\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LYJQ5UDT\ms.19[1].exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\Users\BRADEN\AppData\Local\Temp\srazo_1249569435.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\Windows\sodinpix1249569396.ExE (Spyware.LdPinch) -> Quarantined and deleted successfully.
c:\Windows\ld12.exe (Backdoor.Bot) -> Quarantined and deleted successfully.




Malwarebytes' Anti-Malware 1.40
Database version: 2573
Windows 6.0.6001 Service Pack 1

8/6/2009 11:04:15 PM
mbam-log-2009-08-06 (23-04-15).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 281301
Time elapsed: 2 hour(s), 3 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\browserctldrv (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\browserctl (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\BrowserCtl (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\BrowserCtl\BrowserCtl.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Windows\prxid93ps.dat (Malware.Trace) -> Quarantined and deleted successfully.



I did run a full scan in safe mode after this last one, and it came back clean. Thanks again for taking a look!!

Lauri :thumbsup:

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:45 AM

Posted 07 August 2009 - 07:33 AM

Alright. . . this doesn't look too serious. I'd like us to run another scanner to make sure we got everything though. Please note that this scanner will take a while to run.

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

***************************************************

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (uncheck all others):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". When logging in, do NOT log in under the account titled "Admin" or "Administrator"

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
~Blade


In your next reply, please include the following:
SUPERAntiSpyware log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 lauridyan

lauridyan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 08 August 2009 - 03:27 PM

Ok, all done! Here is the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/08/2009 at 02:36 PM

Application Version : 4.27.1002

Core Rules Database Version : 4046
Trace Rules Database Version: 1986

Scan type : Complete Scan
Total Scan Time : 01:40:33

Memory items scanned : 273
Memory threats detected : 0
Registry items scanned : 7054
Registry threats detected : 0
File items scanned : 178984
File threats detected : 12

Adware.Tracking Cookie
C:\Users\BRADEN\AppData\Roaming\Microsoft\Windows\Cookies\Low\braden@ad.yieldmanager[1].txt
C:\Users\BRADEN\AppData\Roaming\Microsoft\Windows\Cookies\Low\braden@ads.youtube[2].txt
C:\Users\BRADEN\AppData\Roaming\Microsoft\Windows\Cookies\Low\braden@atdmt[1].txt
C:\Users\BRADEN\AppData\Roaming\Microsoft\Windows\Cookies\Low\braden@bs.serving-sys[2].txt
C:\Users\BRADEN\AppData\Roaming\Microsoft\Windows\Cookies\Low\braden@doubleclick[1].txt
C:\Users\BRADEN\AppData\Roaming\Microsoft\Windows\Cookies\Low\braden@insightexpressai[1].txt
C:\Users\BRADEN\AppData\Roaming\Microsoft\Windows\Cookies\Low\braden@media6degrees[2].txt
C:\Users\BRADEN\AppData\Roaming\Microsoft\Windows\Cookies\Low\braden@msnportal.112.2o7[1].txt
C:\Users\BRADEN\AppData\Roaming\Microsoft\Windows\Cookies\Low\braden@questionmarket[2].txt
C:\Users\BRADEN\AppData\Roaming\Microsoft\Windows\Cookies\Low\braden@revsci[2].txt
C:\Users\BRADEN\AppData\Roaming\Microsoft\Windows\Cookies\Low\braden@serving-sys[2].txt
C:\Users\BRADEN\AppData\Roaming\Microsoft\Windows\Cookies\Low\braden@tribalfusion[2].txt

~Lauri :thumbsup:

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:45 AM

Posted 08 August 2009 - 04:21 PM

Hi Lauridyan :flowers:

Alright looks good. :thumbsup: Are you experiencing any more symptoms?

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 lauridyan

lauridyan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 08 August 2009 - 04:39 PM

Nope. Seems to be fine. Thank you sooooo much for your assistance! You Rock! :thumbsup:

~Lauri

#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:45 AM

Posted 08 August 2009 - 04:46 PM

Glad I could help :thumbsup:

Your machine appears to be clean!

I highly recommend that you read through the below set of very helpful suggestions and implement them; they will help protect you from reinfection

Disable and Enable System Restore. - You should disable and enable system restore to make sure there are no infected files found in a restore point. You can find instructions on how to disable and enable system restore here: Windows XP System Restore Guide

Re-enable system restore with instructions from tutorial above.

Next, please hide your System Files. To do this, please refer to the following guide and reverse its steps: "How To See Hidden Files in Windows."


This should give you a good start into malware free pc usage. However I do suggest to visit the following additional information listed below:I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Another recommendation, is to download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atl east one of them (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users