Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan spm/lx infection


  • This topic is locked This topic is locked
37 replies to this topic

#1 zooter

zooter

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 AM

Posted 20 November 2009 - 03:09 PM

Links are hijacked in both browsers
I got a notice from my antivirus that the registry was infected
One of the popups said Spyware threat detected!
it listed 3 threats:
SpyBot.Bank32.dll
AdWare.Win32.Zwnagi
Exploit.HTML.Ascii.b

Another popup says : Advanced Spy REmover, Critical Vulnerables Found
SpyBot.Bank32.dl
Trojan-GameThief.Win32.WOW
Virus: W32/Alman.B

Another popup says "your computer is being attacked from a remote machine! /
Attacker IP: 160.115.169.212
Attack type: lsass.exe exploit

Another popup from Advanced Virus Remover said
Your computer is being attacked from a remote machine. Block internet access to your computer to prevent system infection.
Attaker IP:98.74.219.180
Attack Type: Remote injection attack

And anther popup says Critical Warning!
Critical System Warning! Your system is probably infected with a version of Trojan-Spy.HTML.Visafraud.a. This may result in a website access passwords being stolen from Internet Explorer, Mozilla Firefox, OUtlook etc. Click Yes to scan and remove threats. (recommended)

Im unable to run the DDS Application, it starts to run and I keep getting a continual popup that says
Application cannot be executed. The file is infected. Please activate your antivirus software.

I did run root repeal and am attaching the ark.txt

Attached Files

  • Attached File  ark.txt   3.4KB   1 downloads

Edited by zooter, 20 November 2009 - 04:17 PM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:43 PM

Posted 27 November 2009 - 11:10 AM

Hello,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 zooter

zooter
  • Topic Starter

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 AM

Posted 30 November 2009 - 02:37 PM

logs are attached

Attached Files

  • Attached File  info.txt   32.26KB   6 downloads
  • Attached File  log.txt   37.09KB   3 downloads

Edited by zooter, 30 November 2009 - 02:58 PM.


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:43 PM

Posted 01 December 2009 - 05:39 AM

Hi zooter,

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Please post back here with the following logs:
  • MBAM log
  • Gmer log
  • New Rsit log
Thanks

unite.jpg


#5 zooter

zooter
  • Topic Starter

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 AM

Posted 01 December 2009 - 11:52 AM

I ran MBAM and have attached the log.
I downloaded the other program, h8lilvlo.exe but got an error when trying to run it
h8lilvlo.exe has encountered a problem and needs to close. We are sorry for the inconvenience.

Attached Files



#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:43 PM

Posted 01 December 2009 - 12:32 PM

Ok leave the other for now, we will use a different tool.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#7 zooter

zooter
  • Topic Starter

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 AM

Posted 01 December 2009 - 12:47 PM

Hello
I actually tried downloading another GMER and it is currently scanning.
Should I let it continue to scan or stop it and run the combo fix?
thank you

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:43 PM

Posted 01 December 2009 - 12:56 PM

Yes you can stop it and run combofix :(

unite.jpg


#9 zooter

zooter
  • Topic Starter

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 AM

Posted 01 December 2009 - 01:02 PM

Ok great, stopped it and now running combo fix.

#10 zooter

zooter
  • Topic Starter

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 AM

Posted 01 December 2009 - 01:44 PM

Here is the combofix log
let me know whats next
thank you

Attached Files



#11 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:43 PM

Posted 01 December 2009 - 03:40 PM

That doesn't look too bad, please let me know in your next reply if you are still having any problems.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"=-
"5000:TCP"=-
"5001:TCP"=-
"5002:TCP"=-
"5003:TCP"=-
"5004:TCP"=-
"5005:TCP"=-
"5006:TCP"=-
"5007:TCP"=-
"5008:TCP"=-
"5009:TCP"=-
"5010:TCP"=-
"5011:TCP"=-
"5012:TCP"=-
"5013:TCP"=-
"5014:TCP"=-
"5015:TCP"=-
"5016:TCP"=-
"5017:TCP"=-
"5018:TCP"=-
"5019:TCP"=-
"5020:TCP"=-
"8085:TCP"=-

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Then

Please click this link-->Jotti
When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\adsldpm.sys

Please post back with the link to the scan results, in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


Please post back here with the following logs:
  • Combofix.txt
  • jotti link
Thanks

unite.jpg


#12 zooter

zooter
  • Topic Starter

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 AM

Posted 01 December 2009 - 04:24 PM

hello here is the combo fix txt file
however i could not locate a c:\windows\system32\adsldpm.sys file
could only find c:\windows\system32\adsldp.dll

Attached Files



#13 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:43 PM

Posted 01 December 2009 - 04:29 PM

That's strange, it's still showing in your combofix log, let take a look.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy the content of the following codebox into the main textfield :
    :filefind
    adsldpm.sys
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan, Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

unite.jpg


#14 zooter

zooter
  • Topic Starter

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 AM

Posted 01 December 2009 - 04:35 PM

ok I downloaded system look and ran it with your code
here are the results

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 13:31 on 01/12/2009 by M Iudice (Administrator - Elevation successful)

========== filefind ==========

Searching for "adsldpm.sys"
C:\WINDOWS\system32\adsldpm.sys --ahs- 15381081 bytes [20:28 10/08/2009] [15:45 14/08/2009] DBCCE6147AB6424DA9C8EB138D6072B1

-=End Of File=-

#15 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:43 PM

Posted 01 December 2009 - 04:41 PM

Yep still there, did you make sure to unhide hidden files?

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users