Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

backdoor.trojan and fake AV


  • Please log in to reply
12 replies to this topic

#1 timcuppe

timcuppe

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 08 March 2010 - 10:53 PM

Hello,

I started out with triplexfeed.com virus that redirected my Google and Safari web searches. I was sent, by folks at the Norton Forum, to download and run Malwarebytes, which located and deleted 34 items. A 2nd scan found 1 additional item. which I also deleted with Malwarebytes.

I was then sent to download and run GMER. As I started this scan I started getting "Antivirus XP 2010" warnings which seems to be blocking any and all attempts to run or access repair remedies... Allso seems to have disables my firewalls etc.

The complete Norton Help thread, with malwarebytes scan results, can be found here:
http://community.norton.com/t5/Norton-360/...com/td-p/210095

Can anyone suggest a repair? I'm 15 month unemployed, and need to do this on the cheap, if possible.

Thanks!

Using a PC, XP Pro, Norton 360 V3. Anti Virus (updated daily)

BC AdBot (Login to Remove)

 


#2 timcuppe

timcuppe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 09 March 2010 - 10:08 AM

I think the first thing I need to do is somehow ID and disable the fake anti-virus program... That seems to be keeping me from doing any scans.

Thanks in advance!

#3 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:08:11 AM

Posted 09 March 2010 - 10:58 AM

Start here with the removal guide for Antivirus XP 2010.

Be sure to update Malwarebytes before running any scans as directed in the removal guide.

If you are unable to run Malwarebytes, please try running Rkill first.

First, Download rkill.com to your desktop.

Double-click on the rkill.com in order to automatically attempt to stop any processes associated with Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by these Rogue programs when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate these Rogue Programs. So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of the instructions.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#4 timcuppe

timcuppe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 09 March 2010 - 01:38 PM

Techextreme: I love you, man (ma'am?)!

That seemed to shut the AV2010 down so I could update and run MalwareBytes... I'll see what the MBytes scan finds, remove suggested files, and maybe run MalwareBytes one more time before trying to update / run my Norton 360.

Does that sound like a decent procedure, or will I need to repair / reset my computers firewall settings,and such, before dealing with Norton?

Thanks so much for your help with this!!

#5 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:08:11 AM

Posted 09 March 2010 - 01:45 PM

After you have updated and run Malwarebytes, yes, remove what is found. Please post your malwarebytes log so we can look at it and make sure you're clean. If I run into something that requires "higher" help, I'll point you in the direction you need to go.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#6 timcuppe

timcuppe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 09 March 2010 - 01:55 PM

Thanks, I'll post the log once it''s available - I've turned OFF the wifi on my infected computer (after updating MBytes) will that cause a problem with running MalwareBytes? Those never ending Fake AV warnings made me paranoid of probing visitors...

#7 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:08:11 AM

Posted 09 March 2010 - 02:12 PM

As long as you were able to update Malwarebytes before shutting your Wireless connection down, you should be just fine.

Also, If malwarebytes instructs you to reboot your computer to finish the cleaning and removal process, please do so.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#8 timcuppe

timcuppe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 09 March 2010 - 05:02 PM

Okay... MBytes finished scanning, rebooting, and I have posted the before and after fix logs below.

At this point, though, when I try to open a program (IE, Outlook, Firefox, Etc...) I get a Pop-up window with the heading "Run As." It has a icon of a set of keys and reads: "which user account do you want to use to open this program."

Below that, it has two radio button choices.

The first radio button: "Current User" with (my first name and unknown number next to it,) and a check box just below that, already checked to "protect my computer and data."

The 2nd radio button: asks what "Following User." with a drop down menu choice of Administrator, or Big Dog (the name of my computer) below the drop down menu is a place for a password.

I've tried every option, but it will not let me open any programs... Not sure if this is some left behind issue, or if it's malwarebytes protecting me from myself... Thoughts?

Thanks again for your help!! Here are the before and after logs:


BEFORE Fix:
Malwarebytes' Anti-Malware 1.44
Database version: 3842
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/9/2010 3:13:45 PM
mbam-log-2010-03-09 (15-13-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 246931
Time elapsed: 2 hour(s), 43 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Big Dog\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> No action taken.


AFTER Fix:

Malwarebytes' Anti-Malware 1.44
Database version: 3838
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/8/2010 1:21:38 PM
mbam-log-2010-03-08 (13-21-38).txt

Scan type: Full Scan (C:\|)
Objects scanned: 242209
Time elapsed: 2 hour(s), 5 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\4DW4R3sv.dat (Rootkit.Agent) -> Quarantined and deleted successfully.

Edited by timcuppe, 09 March 2010 - 05:06 PM.


#9 timcuppe

timcuppe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 10 March 2010 - 02:39 AM

Update: I updated / ran another Malwarebytes scan and found another virus. I saved the fix logs, deleted the bug, and rebooted. Afterwards, I seemed to have full access to my various web and e-mail programs again. I'll post the fix logs in the morning. Will also do one more malwarebytes scan and see if anything shows up.

sp

#10 timcuppe

timcuppe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 10 March 2010 - 09:18 AM

G'morning!

Below are the scan logs of the 2nd Malwarebytes scan finding a "HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile)" infection. The 7+ hour scan time is due to MByte being run with Norton 360 V3, at the same time.

I have since upgraded / undated my Norton 360 to V4 and am currently re-scanning my system... So far, Norton has picked up 16 items, but don't know what the items are, yet. Could be cookies, or such. - I'm simultaneously scanning a third time with Malwarebytes, though running both looks like it's going to take even longer than the last 7+ hr scan...

Maybe I should pause on of the scans for faster results?


Before repair: (I'm scanning with Malwarebytes so can't get to the After repair scan report, but it was deleted successfully, according to the report.)

Malwarebytes' Anti-Malware 1.44
Database version: 3843
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/9/2010 11:28:41 PM
mbam-log-2010-03-09 (23-28-22)

Scan type: Full Scan (C:\|)
Objects scanned: 246414
Time elapsed: 7 hour(s), 11 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by timcuppe, 10 March 2010 - 09:43 AM.


#11 timcuppe

timcuppe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 10 March 2010 - 09:20 AM

BTW, other than a cookie, nothing was found using Norton 360 V3...

#12 timcuppe

timcuppe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 11 March 2010 - 08:48 AM

My 3rd Maalwarebytes scan ran and came back clean... I've posted the scan log below.

I also ran an un-updated version of Norton 360 V4 which only found (16) normal tracking cookies... They've been removed.
Looks like, with you help, all is back to normal...

Is there anything else I need to do to complete the repair? (settings reset, protections turned back on?)

Thanks again for all your help!!

Last scan log:

Malwarebytes' Anti-Malware 1.44
Database version: 3849
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/10/2010 7:40:43 PM
mbam-log-2010-03-10 (19-40-43).txt

Scan type: Full Scan (C:\|)
Objects scanned: 249306
Time elapsed: 6 hour(s), 43 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:08:11 AM

Posted 11 March 2010 - 09:48 AM

From the results of your scans, it looks like you computer is clean and happy once again.

Let's go one step further and clean out any temp files that you have to be sure nothing is lurking in there.

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link

* Save any unsaved work. TFC will close ALL open programs including your browser!
* Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
* Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
* TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
* Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.


Let me know how things are running once this completes.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users