Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't get anything to run - keep getting "windows security alert"


  • Please log in to reply
12 replies to this topic

#1 Cindyknowsnocomputer

Cindyknowsnocomputer

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:32 PM

Posted 27 October 2009 - 08:29 PM

My laptop appears to be infected with something. Problem is I can't get connected to the internet long enough to download any malware or spyware removal tools.
When I log on, IE opens to Yahoo page okay, but then I get a popup that says "Windows Security Alert - Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan you computer. Your system might be at risk now."
No, its not a type - it does say "scan you computer" not scan your computer.

Then eventually, www.adult.com comes up in IE.

This time I also got a popup box with a red header that says "antivirus system pro alert:
Infiltration alert. Your cmputer is being attacked by an internet virus. It could be a password stealing attack, a trojan-dropper or similar.

Details:
Attack from 201.175.49.234, port 7768
Attacked port 26071
Threat BankerFox.A"

Have gotten this box and seen several different "threat" names.

I'm not sure how to get anything downloaded when I can't get connected to the internet long enough to get anything started.

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:03:32 PM

Posted 27 October 2009 - 08:57 PM

Welcome to BC :thumbsup:

A few steps to begin:

Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Next:
Run RKill by Grinler

Link #1
Link #2
Link #3
Link #4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do
    not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to
    this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
Finally:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 Cindyknowsnocomputer

Cindyknowsnocomputer
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:32 PM

Posted 28 October 2009 - 07:55 PM

I can't do any of the things you've asked because I can't get the computer to stop doing all the crazy stuff its doing to be able to get on the internet and download the stuff.

#4 Cindyknowsnocomputer

Cindyknowsnocomputer
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:32 PM

Posted 28 October 2009 - 08:19 PM

Well, I managed to get the first two steps done...but when on the malwarebytes part, I get an error that says unable to execute file
C:program files..blah, blah..mbam.exe
Createprocess failed: code 2
The system cannot find the file specified.

I've been dowloading the files you suggested to a flash drive and then using that in the laptop since I couldn't get on the internet with the laptop.
Coudl this be part of the problem?

#5 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:03:32 PM

Posted 29 October 2009 - 07:42 AM

No... It should work fine from the flash drive - installing.

Did RKill work?

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#6 Cindyknowsnocomputer

Cindyknowsnocomputer
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:32 PM

Posted 01 November 2009 - 09:38 PM

Yes, as far as I could tell RKill worked.
I ran Root Repeal, but I can't paste the log because I can't get logged into the internet from the laptop.
Now it says it can't acquire a network address.

I have saved the log though and can answer any questions.
There are a number of "hidden/locked files" that say, "invisible to the windows API".

#7 Cindyknowsnocomputer

Cindyknowsnocomputer
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:32 PM

Posted 01 November 2009 - 10:09 PM

In addition, my wireless connection will not seem to connect. I keep getting a messag that say "acquiring network address", but it never connects.

And I tried hooking straight to the modem and it won't connect to the internet either. But i know the internet connection works becuase the desktop works fine.

UGH

Edited by Cindyknowsnocomputer, 02 November 2009 - 11:51 AM.


#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:03:32 PM

Posted 02 November 2009 - 11:16 PM

I have been reading on your problem... you have one of the newer infections.

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 Cindyknowsnocomputer

Cindyknowsnocomputer
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:32 PM

Posted 03 November 2009 - 09:12 AM

I ran the smitfraudfix and saved the file, but again, I can't get onto the internet from that computer, so I have no way of getting to this website to post the report.

What do I do next?

#10 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:03:32 PM

Posted 03 November 2009 - 08:53 PM

can you transfer that log via flash drive to a working computer?

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#11 Cindyknowsnocomputer

Cindyknowsnocomputer
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:32 PM

Posted 03 November 2009 - 08:57 PM

Thanks...didn't think about doing it that way!
Here's the log.
Also, can't seem to start in safe mode either.



SmitFraudFix v2.424

Scan done at 9:08:20.26, Tue 11/03/2009
Run from E:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\Logitech Vid\vid.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\svchost.exe
E:\SmitfraudFix\Policies.exe
E:\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts

hosts file corrupted !

91.212.127.226 ossecure2009.microsoft.com

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\iehelper.dll FOUND !

C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\main


C:\DOCUME~1\main\LOCALS~1\Temp


C:\Documents and Settings\main\Application Data


Start Menu





Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3957f069-c690-4aa3-a6b5-b714cf9a2150}"="gahurihor"

[HKEY_CLASSES_ROOT\CLSID\{3957f069-c690-4aa3-a6b5-b714cf9a2150}\InProcServer32]
@="c:\windows\system32\wogutopa.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3957f069-c690-4aa3-a6b5-b714cf9a2150}\InProcServer32]
@="c:\windows\system32\wogutopa.dll"



AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=dword:00000001
"AppInit_DLLs"="c:\\windows\\system32\\wogutopa.dll,kupirire.dll"


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




DNS



Scanning for wininet.dll infection


End

#12 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:03:32 PM

Posted 04 November 2009 - 08:24 AM

Good ... we need to do two things. The program reported that you have a corrupted HOSTS file. I recommend visiting http://www.mvps.org/winhelp2002/hosts.htm and download their HOSTS file to replace yours. I use it on all my computers.

Next...

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#13 Cindyknowsnocomputer

Cindyknowsnocomputer
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:32 PM

Posted 05 November 2009 - 07:37 PM

As I stated before, I couldn't start in Safe Mode. I got the blue screen of death if I tried that.
I've given up and taken the laptop to someone to fix it.

I appreciate your time and your assistance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users