Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Virus (Exploit.pdf) Malware (Trojan.Fakealert)


  • Please log in to reply
17 replies to this topic

#1 dawnsangel8397

dawnsangel8397

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 01 December 2009 - 11:16 AM

Hi,

I was notified by my AVG anti-virus that it caught a virus. I did a full scan and it found "virus identified exploit.pdf" which it said it removed. I then ran malwarebytes which found "trojan.fakealert" which it said it removed. I ran scans on AVG, Malwarebytes, and Spybot the following day which found nothing ( except the usual cookies ). However, I still think there is something that is still affecting my computer. When I started my computer this morning and clicked on internet explorer, it opened the web page and also gave me a box that said internet explore could not find page and then the rest of the box had jumbled letters. It then continued to open internet explorer 7 more times with the same message. ( I didn't click on it any of those times, and even though I received those messages, there were 7 windows opened to my home page ). Also, when I do a google search and click on a link, it takes me to a different website.
I'm running Windows XP. Any help you can give me would be appreciated.

Dawn

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:28 PM

Posted 01 December 2009 - 12:01 PM

Hello and welcome. Let's get another look..

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

Please download TFC by Old Timer and save it to your desktop.
alternate download link
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.


Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 dawnsangel8397

dawnsangel8397
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 01 December 2009 - 01:19 PM

You said to save MBAM as zztoy.exe. I already have MBAM, do you want me to uninstall it and reinstall it from your link?

#4 dawnsangel8397

dawnsangel8397
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 01 December 2009 - 01:34 PM

I went ahead and ran the Mbam from the one I already had installed and pasted the results below:

Malwarebytes' Anti-Malware 1.41
Database version: 3268
Windows 5.1.2600 Service Pack 3

12/1/2009 1:27:52 PM
mbam-log-2009-12-01 (13-27-52).txt

Scan type: Quick Scan
Objects scanned: 115007
Time elapsed: 5 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:28 PM

Posted 01 December 2009 - 01:52 PM

Hello, I put that in there as many times ,epecially first installs some malwares will block these tools and we need to fool them.
Let's run SAS from safe mode and see if we can get it.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 dawnsangel8397

dawnsangel8397
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 01 December 2009 - 02:59 PM

I downloaded SAS, but when I went to restart in safe mode, I got a blue screen telling me it encountered a problem and was shutting down. I tried 3 times with the same results. I then logged in normally to windows and got a resident shield alert that 3 Trojans were found. I quarantined them and closed down. When I try to start the computer in normal or safe mode - I get the blue screen. I'm sending this from a different computer.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:28 PM

Posted 01 December 2009 - 03:09 PM

Hello,what program found these and can you name the 3,please.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 dawnsangel8397

dawnsangel8397
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 01 December 2009 - 03:27 PM

AVG found them first, then SAS kicked in and was listing things found. Unfortunately, I stopped both and was going to post a reply, but could not get into the web. I rebooted and got the blue screen, so now I can't get into anything to look it up. I know SAS was saying it was a critical threat and was a password stealer. Sorry I can't give you more info. Is there any hope, or am I going to need a new computer?

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:28 PM

Posted 01 December 2009 - 03:44 PM

Do you have your XP CD/DVD? We can either do a repair or fulll Install.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 dawnsangel8397

dawnsangel8397
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 01 December 2009 - 04:02 PM

Yes I do

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:28 PM

Posted 01 December 2009 - 04:14 PM

In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.
A repair Install should get your machine back ...Still requiring Malware removal and Updates
A Full Reformat (wipie)and install, gives you the machine back but you will lose all files.

You need to decide,
I am going to post a lot of info to help you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

REPAIR Install...How to Perform a Windows XP Repair Install
The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.

==============================

2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.

Since we don't know exactly which infections we're dealing with here, we should take some precautions before we attempt to move files from the infected machine. Run the following on your clean computer, and make sure you insert your flash drives at the prompt.
Download and Run FlashDisinfector

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 dawnsangel8397

dawnsangel8397
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 01 December 2009 - 06:34 PM

What I'd like to do is a full reformat, but I don't understand how to do that if I can't get into my computer at all. I get the blue screen on start up in both safe mode and normal mode.

#13 dawnsangel8397

dawnsangel8397
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 01 December 2009 - 06:35 PM

I forgot to tell you that I can get into the setup, but that's all.

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:28 PM

Posted 01 December 2009 - 08:09 PM

You will be rebooting the PC off the CD drive. This will boot the PC and then it will ask you if you want to reinstall.

Since you can get to setup be sure the PC is set to Boot from the CD Drive.


{From The Michael Stevens Tech link}
Preparation http://michaelstevenstech.com/cleanxpinstall.html
Does your system allow booting from the CD? Check your BIOS by noting during boot up the Key Commands needed to access the BIOS, this will be a text message usually at the bottom of the screen. If your system has a splash screen with the OEM logo hiding the boot up screen, press ESC as soon as you start boot up. When you get to the BIOS, access the screen that allows you to change the boot sequence. Set it to boot from CD before hard drive in the boot sequence. Some systems can change the boot sequence without accessing the BIOS, laptops for the most part do not need to access the BIOS.

If your computer does not support booting from the CD, check your OEM or Motherboard makers web site for updated BIOS. If the system is old enough it doesn't support booting from CD, you should carefully evaluate your options. Sometimes the complete replacement of the system will be a better investment than the likely need to upgrade hardware and software to run XP.

If booting from CD is impossible, you have the options below.

Download the XP floppy boot disk set from Microsoft. Home and Pro plus the SP1 version of Home and Pro can be downloaded from the link below.

XP Boot Floppy Set


But First
Click on the link I provided Reformatting Windows XP Read it as you will need to get a few things first. May you'll want to print the Tutorial.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 dawnsangel8397

dawnsangel8397
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 05 December 2009 - 12:02 AM

Sorry I didn't get back to you sooner. My internet was down for 2 days. I tried to do what you said, and was able to boot up with the CD. I then backed up all my data, and that's where my progress ends. I realized when I got the system back up that it wasn't the anti-virus software that you had me install that started the scan. It was one of those scam softwares - Anti-virus System Pro, and it won't let me get into anything. Everything I click on comes up as infected and it won't let me proceed unless I but their software. I tried going into start->run->diskmgmt.msc, but I get the same message and it won't let me do anything else. I'm at a standstill now! I also want to let you know that I have 2 hard drives. Is there any possiblity of it working if I take out the main drive andjust leave the second drive. If so, how do I go about changing the jumper settings and wiping the second drive?

Dawn




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users