Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojanspm/lx infection


  • Please log in to reply
4 replies to this topic

#1 alpha3

alpha3

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 08 September 2009 - 10:05 PM

Today I was infected with a virus that gave a popup saying my PC was infected with trojanspm/lx. It hijacked my desktop and displayed a message there saying I was infected, and inserted an icon into my system tray telling me to download a particular software to remove it.

Anyway, I found an old thread here with some instructions on how to get rid of it....but the thread isn't complete. Here's what I did, in order.... I ran AVG Antivirus, Spybot S&D, and MBAM in normal mode following infection. Spybot and MBAM removed things, but the infection was still present. I re-booted as instructed by MBAM to complete infection removal.

Spybot ran again upon bootup since I clicked yes to the prompt when it last ran. I then installed and updated SAS, then re-boot in safe-mode. I then ran CCleaner, SAS, and MBAM again while in safe mode. I also ran Spybot and Ad-Aware 2008, but Spybot found nothing and Ad-Aware only pulled up 1 MRU object. I restarted in normal mode, and re-ran MBAM, SAS, and Spybot. No further entries were found


Here is the MBAM log when infections were found:

Malwarebytes' Anti-Malware 1.40
Database version: 2758
Windows 5.1.2600 Service Pack 3

9/8/2009 5:36:36 PM
mbam-log-2009-09-08 (17-36-36).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 121265
Time elapsed: 31 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Frank\Local Settings\Temp\UAC7f9.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AVR09.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 alpha3

alpha3
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 08 September 2009 - 10:07 PM

I came here to make sure that my PC is actually clean...

What other logs, info, ect. is needed in order to determine that my PC is safe again? I did try to run Win2kDiag....but here is what I got from that:

Log file is located at: C:\Documents and Settings\Frank\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\Prefetch\layout.ini

[1] 2009-09-08 20:50:00 211120 C:\WINDOWS\Prefetch\layout.ini ()


Any help is appreciated. Thanks in advance!!

#3 alpha3

alpha3
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 08 September 2009 - 10:09 PM

I should add....I turned off System Restore prior to running the programs in safe mode.

I have since turned it back on after the later scans didn't find anything.


I also reset my router to factory settings, and changed the login/password.

Edited by alpha3, 08 September 2009 - 10:10 PM.


#4 alpha3

alpha3
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 08 September 2009 - 10:36 PM

So I found another thread with a member infected with AVR09.exe (which MBAM removed from my PC) getting the same "error" with Win32kDiag. http://www.bleepingcomputer.com/forums/topic249450-15.html

I created the peek.bat file as instructed in that thread, and here is the log.

Volume in drive C has no label.
Volume Serial Number is 0C58-2975

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 03:56 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 03:56 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 03:56 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
9 File(s) 1,932,288 bytes
0 Dir(s) 106,037,088,256 bytes free

Edited by alpha3, 08 September 2009 - 10:37 PM.


#5 alpha3

alpha3
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 09 September 2009 - 09:17 AM

Any advice on what else I should check will be greatly appreciated.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users