Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected...Please Help


  • This topic is locked This topic is locked
11 replies to this topic

#1 Roached1

Roached1

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 AM

Posted 13 January 2010 - 09:14 PM

Guys...I need help...

I've done the research on my symptoms, and have (I think), narrowed them down to being a variant of the Sasser virus, and the Google redirect problem.

I have read multiple topics and have thought about trying what was suggested to the poster by the pro; I would just feel more comfortable doing the fixes (I hope) on a one-on-one basis.

I have had the re-direct issue with Google problem for the last past three days. I have AVG and Malwarebytes and have ran them both multiple times with daily updates and nothing is found...yet the problem persits.

I also ran across the the system automatic shutdown problem that seems to be the syptom of the Sasser issue. On my "Local Area Connection" icon that I turned on about a year ago....it seems to be sending and recieving data constantly (which it never did before).

Once again; I have ran everything that I feel comfortable running on my pc on my own. SO...I NEED PROFESSIONAL HELP NOW.

I am running Windows XP Home Edition with service Pack 3. I have my automatic updates from Windows turned on and have checked daily for new ones just to try and catch anything I might have missed.

Someone please help.

Thank you, in advance.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:18 AM

Posted 13 January 2010 - 11:59 PM

Hello and welcome.. Let's try these and see what shows.
Are you getting a countdown?
If you're sending,it may be sending personal info out. Try keeping it off the net as much as possible.

Your MBAM log comes back clean?

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Roached1

Roached1
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 AM

Posted 14 January 2010 - 09:10 PM

Sorry for the late reply Boopme.....had to go do that thing called work.....sux....anyway....

Yes...it did do the countdown (twice on me). I did run Malwarebytes and it did find a couple of items back a couple of days ago. I haven't had the "countdown" problem since. BUT...the "Local area Connection" still seemed to be running all of the time after that.

I keep having the redirect problem with Google ( don't use Yahoo or other search engines that much).

I have ran what you told me to and here are the reports: (Once again...I thnk ou in advance for all of your help)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/14/2010 at 07:28 AM

Application Version : 4.33.1000

Core Rules Database Version : 4476
Trace Rules Database Version: 2294

Scan type : Complete Scan
Total Scan Time : 01:57:45

Memory items scanned : 217
Memory threats detected : 0
Registry items scanned : 5128
Registry threats detected : 0
File items scanned : 56111
File threats detected : 3

Adware.OneStep/Kwanzy
C:\PROGRAM FILES\SEEKDNS\SEEKDNS(2).EXE

Adware.Tracking Cookie
C:\WINDOWS\system32\config\systemprofile\Cookies\system@clickpayz2.91462.blueseek[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@collective-media[1].txt

And here is the ESET results:


C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MTRCOPXH\zone[1].txt HTML/Iframe.B.Gen virus deleted - quarantined
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MVOPYZI3\fmCAF6X2V4.js HTML/Iframe.B.Gen virus deleted - quarantined

Edited by boopme, 14 January 2010 - 09:22 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:18 AM

Posted 14 January 2010 - 09:25 PM

hi, yeah we all have those other annoying things to do.

I think it will be helpful to see these now.
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Next run part 1 of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Roached1

Roached1
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 AM

Posted 15 January 2010 - 06:18 AM

Morning Boop,

Here are the two scan results I ran this morning.

MBAM LOG Report:


Malwarebytes' Anti-Malware 1.44
Database version: 3568
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/15/2010 4:00:24 AM
mbam-log-2010-01-15 (04-00-24).txt

Scan type: Quick Scan
Objects scanned: 120324
Time elapsed: 7 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


And finally the SmitFraud Report:
SmitFraudFix v2.424

Scan done at 5:07:57.81, Fri 01/15/2010
Run from C:\Documents and Settings\Doody\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Doody\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Doody


C:\DOCUME~1\Doody\LOCALS~1\Temp


C:\Documents and Settings\Doody\Application Data


Start Menu


C:\DOCUME~1\Doody\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




DNS

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 68.87.72.134
DNS Server Search Order: 68.87.77.134

HKLM\SYSTEM\CCS\Services\Tcpip\..\{61F8CE2D-B9FB-4F94-80C6-97739D03D1F2}: DhcpNameServer=68.87.72.134 68.87.77.134
HKLM\SYSTEM\CS1\Services\Tcpip\..\{61F8CE2D-B9FB-4F94-80C6-97739D03D1F2}: DhcpNameServer=68.87.72.134 68.87.77.134
HKLM\SYSTEM\CS2\Services\Tcpip\..\{61F8CE2D-B9FB-4F94-80C6-97739D03D1F2}: DhcpNameServer=68.87.72.134 68.87.77.134
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.134 68.87.77.134
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.134 68.87.77.134
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.134 68.87.77.134


Scanning for wininet.dll infection


End

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:18 AM

Posted 15 January 2010 - 02:25 PM

Afternoon roach.. So how is the redircts and sending?ONLY of you still have the google redirects run..

Please read and follow all these instructions very carefully.
  • Please download GooredFix and save it to your Desktop.
  • Double-click GooredFix.exe to run it.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Roached1

Roached1
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 AM

Posted 16 January 2010 - 08:08 AM

Mornin Boop...

Yeah...I am still getting the redirects..amd the "sending" seems to still have "more-than-usual" activity.



Here is the GooredFix log I just ran.

GooredFix by jpshortstuff (08.01.10.1)
Log created at 07:03 on 16/01/2010 (Doody)
Firefox version [Unable to determine]

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [12:17 22/04/2009]

-=E.O.F=-

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:18 AM

Posted 16 January 2010 - 11:02 AM

Drat my man,it is hiding.. one more here then we do HJT if no gain.
Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.[/i]
  • Vista users: need to right-click either the IE or FF Start Menu or Quick Launch Bar icons and select Run As Administrator) from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the Posted Image... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the Posted Image... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the Posted Image... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Roached1

Roached1
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 AM

Posted 17 January 2010 - 09:13 AM

Well Boop..

Ran the Kaspersky scanner last night as directed and it found nothing on my system.

Just for kicks and to check if I was still having redirect problems with Google; I did a search on "spyware". Google (naturally) came up with Wikipedia's link and I clicked on it. Ol' Google sent me to "info.com" and "IT'S" search results . So...the problem is still there.

Next step HJT?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:18 AM

Posted 17 January 2010 - 12:10 PM

Yep, we did to get deeper here.

You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Roached1

Roached1
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 AM

Posted 17 January 2010 - 03:55 PM

Hey Boop.

Thanks for all the help man. I have ran the DDS reports and the RootRepeal log and started another thread in the Malware forum as suggested.

I do have one last question for ya:

Late yesterday and today my computer clock (down in the right hand corner) has decided it wanted to go to the 24 hour clock (military time if you will) without me changing anything on it.

You have any clue what might have caused this to happen?

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:18 AM

Posted 17 January 2010 - 04:03 PM

This is a sometime side deffecyt of malware removal.

To fix the clock display:

Go toStart >> Control Panel.
Select Regional and Language Options.
In the Standards and Formats section... next to the language you are using... click the Customize...button
Press the Time...tab.
In the Time Format...box, for 12 hour time display... change the format to:

h mm ss tt
or
hh mm ss tt


Select the other display options you want... separator, AM, PM...
When done...click Apply and OK as needed.


Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users