Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

my computer starts up with porn links on the desktop and fake antivirus programs


  • Please log in to reply
15 replies to this topic

#1 bugmento

bugmento

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 25 October 2009 - 11:29 AM

Hi, this malware problem is really annoying me so I came to this forum for some help after reading the "how to use combofix" page.

my problem is that whenever i start up my computer, I have links to youporn.com and other porn sites that just appear on my desktop, and a window will pop up every few minutes saying "your computer can be infected with spying programs (spyware). it is recommended that you run a quick system check now" with ok or cancel buttons, but i know that this is a fake antivirus program. also i think the virus is blocking my access to certain sites that would help like microsoft.com and malwarebytes.org because i cannot access either site. i have ran malwarebytes anti-malware program but nothing came up, though i think the virus is blocking malwarebytes from the internet because i cannot update it.

what i know about my computer:

toshiba satellite, running Windows XP (yeah its a pretty old laptop), i use firefox as my web browser. also my computer came with McAfee Security Center and a window pops up asking whether to allow certain programs (.exe or .tmp files) access to the internet. I usually click "block all access" because I'm not sure what these programs do.

i'm really stuck and frustrated here and i don't really know how to get rid of this malware, so any help would be appreciated

thanks

Edited by The weatherman, 25 October 2009 - 11:39 AM.
Moved from HJT to a more appropriate forum. Tw


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 AM

Posted 25 October 2009 - 05:06 PM

Download this file and save it to your desktop:

http://download.bleepingcomputer.com/grinler/rkill.scr

Copy it over to the problem computer on a CD or pen drive if you need to.

Double-click the file to run it. A command window will open briefly. Then run a quick scan with Malwarebytes. Post the Malwarebytes log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 bugmento

bugmento
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 27 October 2009 - 10:04 AM

Hi Budapest, i followed your instructions but Malwarebytes did not detect anything, which i think may be due to the fact that the virus is blocking me from going to malwarebytes.org and thus blocking updating of malwarebytes

here is the log:

Malwarebytes' Anti-Malware 1.32
Database version: 1616
Windows 5.1.2600 Service Pack 2

10/27/2009 11:01:22 AM
mbam-log-2009-10-27 (11-01-22).txt

Scan type: Quick Scan
Objects scanned: 57059
Time elapsed: 2 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 AM

Posted 27 October 2009 - 02:48 PM

Try reinstalling Malwarebytes. You could copy the install file over from another computer if you need to.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 bugmento

bugmento
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 28 October 2009 - 09:30 AM

so you mean download the latest malwarebytes update from another computer and then use a flash drive to put it on this (problem) one?

i'll try that but i still think the virus is blocking malwarebytes somehow

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 AM

Posted 28 October 2009 - 02:32 PM

Yes, that is what I mean. Run the rkill file right before you try to install Malwarebytes.

http://download.bleepingcomputer.com/grinler/rkill.scr
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 bugmento

bugmento
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 31 October 2009 - 07:01 PM

hi Budapest, it's the weekend now so i had time to try what you suggested. I used my friend's computer to download the newest version of Malewarebytes off of the malwarebytes.org website, I put the file on my computer, ran Rkill, then installed Malwarebytes and ran it. Again, it couldn't update because the virus is blocking malwarebytes.org and windows.com

After Malewarebytes ran, it found 42 errors and i chose to delete them all, which required my computer to restart. After restarting, XP still started up with porn links on my desktop and i still keep getting the fake "windows malicious software removal tool" prompt. So basically i still have all the same problems.

any suggestions?

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 AM

Posted 31 October 2009 - 10:54 PM

Download and run the latest version of rkill:

http://download.bleepingcomputer.com/grinler/rkill.scr

Then install the free version of SUPERAntiSpyware and scan with that.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 bugmento

bugmento
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 05 November 2009 - 06:56 PM

Hi again Budapest, so I used my friend's computer again to download superantispyware free version, because i think the virus was blocking me from visiting superantispyware.com. anyway, i ran rkill.scr, installed SuperAntiSpyware and used it to scan my computer. I am about to reboot now and I will write back with my results.


right after i rebooted, the virus seemed to go away, but this morning when i started up my computer, it still has all the same problems, ie youporn.com nudetube.com links that just appear on my desktop, the fake "windows malicious software removal tool" prompt, etc

what can i do now?

thanks

Edited by bugmento, 06 November 2009 - 09:35 AM.


#10 bugmento

bugmento
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 07 November 2009 - 08:24 PM

basically all of the effects of this virus are still present, except for right after i reboot after running SuperAntiSpyware. I don't really do anything about the virus and its effects during the week because i am busy then, so i kind of just ignore the fake anti-virus prompts and other things. I guess I will try running Malwarebytes and SuperAntiSpyware right now.

#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 AM

Posted 07 November 2009 - 10:35 PM

Sorry, I missed you last post.

Please post the Malwarebytes and SUPERAntiSpyware logs.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 bugmento

bugmento
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 08 November 2009 - 12:37 PM

i just started up my computer today, no porn links appearing on my desktop when i booted up, and so far no fake anti-spyware prompt. just ran malewarebytes and it still found some malware


Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

11/8/2009 12:33:51 PM
mbam-log-2009-11-08 (12-33-51).txt

Scan type: Quick Scan
Objects scanned: 104825
Time elapsed: 4 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\sc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


i will reboot now and then run rkill with SuperAntiSpyware

#13 bugmento

bugmento
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 08 November 2009 - 12:54 PM

okay SuperAntiSpyware found some spyware/malware too


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/08/2009 at 12:51 PM

Application Version : 4.29.1004

Core Rules Database Version : 4162
Trace Rules Database Version: 1978

Scan type : Quick Scan
Total Scan Time : 00:09:23

Memory items scanned : 515
Memory threats detected : 0
Registry items scanned : 484
Registry threats detected : 0
File items scanned : 9233
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\Ryan\Cookies\ryan@tacoda[2].txt
C:\Documents and Settings\Ryan\Cookies\ryan@at.atwola[1].txt
C:\Documents and Settings\Ryan\Cookies\ryan@advertising[2].txt

Trojan.Agent/Gen-WIWOW64
C:\WINDOWS\SYSTEM32\WMDTC.EXE

#14 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 AM

Posted 08 November 2009 - 03:59 PM

Please run another scan with SUPERAntiSpyware in Safe Mode. Then boot back into Normal Mode and scan with Malwarebytes.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#15 bugmento

bugmento
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 12 November 2009 - 09:07 AM

Hey Budapest,

I was tired of dealing with this virus so I used my System Recovery CD to wipe and reboot my computer to the out-of-box state. It seemed to work, though it didn't last time. I appreciate you helping me and the advice you gave.

Thanks,

Ryan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users