Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pesky Little Bugger


  • Please log in to reply
7 replies to this topic

#1 FranklenStein

FranklenStein

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 01 April 2010 - 10:00 PM

Hoping for a kindly soul to help me out with a Dell work desktop running Windows XP.

Yesterday a coworker was online when a mysterious pretend Windows warning came up asking her to click to protect the blah, blah, blah..Even though it also had a pretend little Microsoft shield as well, she was smart enough to close it and come get me rather than clicking on it. Popped up a couple more times until I closed it with the task manager, but not before it plopped down several desktop shortcuts to various porn sites complete with graphic photos. Didn't catch the name of the buggy however.

So...ran Adaware which detected a "malicious object" amongst other privacy things, but then despite saying it's successfully removed, still shows it when Adaware is run again.

Then tried running Malwarebytes but it crashed on startup. Tried to put the computer into Safe Mode and try again, but of course unable to get into safe mode after several attempts.

So...then ran spybot which picked up yet more stuff and removed it. Tried Adaware again, but still there. The details come up as windows/system32/group/logon/winlogo/exe.

After Spybot, I was able to run Malwarebytes which too found some objects, and removed them. But when I try Adaware again...you guessed it. Still there. Can't seem to shake the pesky little bugger. Poked around online and saw that someone suggested Hijack this. Downloaded and ran that, but have absolutely no idea how to read the log.

Any help greatly appreciated. Thanks in advance.

BC AdBot (Login to Remove)

 


#2 FranklenStein

FranklenStein
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 02 April 2010 - 10:17 PM

Anyone?...

No?...

#3 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:19 AM

Posted 03 April 2010 - 09:09 AM

Can you post the findings of your scans from Malwarebytes?

#4 FranklenStein

FranklenStein
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 03 April 2010 - 07:11 PM

Thanks Cryptpdan.

Ran Malwarebytes again this morning and got the following (see below). Then hit remove all and it appeared to be successful, simply asking me to restart the computer. Did so, but as Windows is coming up I get two "failed to intialize messages: Dell.ControlPoint.exe 0xc000007b, and Dell/UCM.exe 0xc000007b.

Clicked okay to ignore and then got an Adware live message saying that it had blocked 5614695.exe380, identifying it as a "trojan downloader". Also had my mysterious pornograpic desktop shortcuts reappear.

So...ran Malwarebyetes again and the same issues were there (attached second log), but when I restrat I get the same failed to initialize message, and also another Adware live message stating that it had blocked services.exe.2692, identifying it as a Win32TrojanSpy VB.

And then the mysterious original pretend program came back up. Has a imitation Windows shield, and is something called "Protection System"...

First Log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

4/3/2010 2:47:27 PM
mbam-log-2010-04-03 (14-47-27).txt

Scan type: Quick scan
Objects scanned: 164376
Time elapsed: 11 minute(s), 35 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 11
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
C:\WINDOWS\system32\PowerDes.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\PereSvc.exe (Backdoor.Bot) -> No action taken.

Memory Modules Infected:
C:\WINDOWS\system32\BtwSvc.dll (Backdoor.Bot) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsvc (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\peresvc (Backdoor.Bot) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\buildw (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\firstinstallflag (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udpe (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mpe (Malware.Trace) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\PowerDes.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\BtwSvc.dll (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\d.bin (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\opear.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\ms.bin (Backdoor.Bot) -> No action taken.
C:\WINDOWS\Temp\t4m0_169347262298.bk.old (Backdoor.Bot) -> No action taken.
C:\WINDOWS\Temp\t4m0_257935182989.bk.old (Backdoor.Bot) -> No action taken.
C:\WINDOWS\Temp\t4m0_32743993870.bk.old (Backdoor.Bot) -> No action taken.
C:\WINDOWS\Temp\t4m0_780317385934.bk.old (Backdoor.Bot) -> No action taken.
C:\WINDOWS\Temp\tmp0_7049931708.bk.old (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\PereSvc.exe (Backdoor.Bot) -> No action taken.


Second Log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

4/3/2010 3:08:56 PM
mbam-log-2010-04-03 (15-08-56).txt

Scan type: Quick scan
Objects scanned: 164318
Time elapsed: 12 minute(s), 55 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 2
Registry Keys Infected: 1
Registry Values Infected: 12
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 16

Memory Processes Infected:
C:\WINDOWS\Temp\VRT3.tmp (Spyware.OnlineGames) -> Unloaded process successfully.
C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\WINDOWS\system32\PereSvc.exe (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Windows Server\gugmyx.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\BtwSvc.dll (Backdoor.Bot) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsvc (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\buildw (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\firstinstallflag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udpe (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mpe (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Windows Server\gugmyx.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\VRT3.tmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\d.bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ms.bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\BtwSvc.dll (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\Temp\VRT1.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CP6BWPIR\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SL2R85MB\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\nudetube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\pornotube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\youporn.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\sc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\PereSvc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Windows Server\gugmyx.dll (Trojan.Agent) -> Delete on reboot.

#5 FranklenStein

FranklenStein
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 04 April 2010 - 07:13 PM

So is there just no one whose seen this before and has a suggestion?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:19 PM

Posted 04 April 2010 - 09:32 PM

Hello, One or more of the identified infections is a backdoor trojan/bot.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 FranklenStein

FranklenStein
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 04 April 2010 - 10:20 PM

:thumbsup: Wow. Yucky. I'll have to check with the IT guys first thing in the morning and see if they simply want to reformat.

Thanks for the response though.

The computer is accessed by 7 or 8 employees, and if their information is compromised I'm sure they'll want to know and take action.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:19 PM

Posted 04 April 2010 - 11:05 PM

Yes that would be the best route.

:thumbsup:

Sorry but it was important you know.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users