Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by AntiVirus PLUS, smitfraud, virtumonde


  • Please log in to reply
1 reply to this topic

#1 therealpig

therealpig

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 06 January 2010 - 01:20 PM

I was helping my aunt with a recent spyware infection with some success, and using SAS I removed over 20 items amongst which were smitfraud, virtumonde, and a few I didn't recognize.

Looking through her programs list, I saw My Web Tattoo which would not allow me to delete it, and a few toolbars which I did delete. I'm sure they downloaded some things to cause these problems.

She told me that she had downloaded a program online called AntiVirus PLUS and that she eventually had to pay them to clean some stuff. After reading up on spyware, she called her credit card company and cancelled the charge (which was $30 more than the program told her) and called me to help clean up the system.

I also ran AVG anti-rootkit and found nothing, but I'm nervous that there's still a backdoor or rootkit hiding on the system since I can't run MBAM at all and I'm having trouble getting Ad-Aware to do it's job. Any Advice would be appreciated.

EDIT: MBAM gives me several RUN_TIME ERROR 1 / APPLICATION ERROR 0 (something like that) immediately after install, everytime I try to execute, and immediately after uninstall. I thought I might try to rename them files during download.

Note: XP MCE with little over 300 MB RAM (I thought this might not allow the programs to run)
-I advised her to look into upgrading RAM-
I'm not very familiar with MCE, but I notice a lot of running processes on startup (50+) I was going to look into that next.

EDIT: Currently, there seems to be something hijacking her yahoo web searches, but not any others like google. When searching yahoo, results never get displayed and the IP address that is shown (firefox extension) belongs to somebody in Germany or Poland on WHOIS search.

Edited by therealpig, 07 January 2010 - 11:05 AM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:44 AM

Posted 06 January 2010 - 07:11 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users