Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

please help, got hit by RogueAntiSpyware.XPAntiSpyware


  • Please log in to reply
13 replies to this topic

#1 jailHackers2010

jailHackers2010

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 17 April 2010 - 03:29 PM

Yesterday, noticed that I'd been hit by RogueAntispyware, probably from the Java exploit on the lyrics sites. ( i can't copy/paste sorry)

Ok, so I installed Spyware Doctor, did a scan and deleted all the files

just went back into Local Settings / application data and deleted more of the ave.exe 32940234920394 (random numbers) etc.


I also went into the regedit and deleted/changed all the appropriate keys.

ran spyware doctor again and it said i was clean, but today it's halppening again, so i must've missed something.

The one thing I haven't done yet is update java. any ideas on how I do that? and get rid of this malware.

I tried installing HiJack This just now but it said The Windows Installer Service is disabled. But I'm not in safe mode, so the malware must've disabled that.

Thanks for all your help!
-R

p.s. I would support the life imprisonment of malicious coders

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:01 AM

Posted 17 April 2010 - 04:02 PM

Hello and welcome. I am moving this to the Am I Infected forum from XP.

Please follow our Removal Guide here How to remove XP Security Tool 2010

You will move to the Automated Removal Instructions for Internet Security 2010 using Malwarebytes' Anti-Malware:

After you completed that post your scan log here,let me know how things are.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 jailHackers2010

jailHackers2010
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 17 April 2010 - 04:40 PM

Thank you for your help.

I am following the instructions provided, however when I installed Malwarebyte's Anti-Malware I got the following error message:


[codebox]Run-time error '372':

Failed to load control 'vbalGrid' from vbalsgrid6.ocx. Your version of vbalsgrid6.ocx may be outdated. Make sure you are using the version of the control that was provided with your application.[/codebox]

This occurred after the installer had reached the final step, both UPdate and Start MWBAM were checked and I clicked finish and saw this error message.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:01 AM

Posted 17 April 2010 - 05:07 PM

This is XP? and which service pack please.

EDIT:>>Run-time error '372':Failed to load control 'vbalGrid' from vbalsgrid6.ocx. Your version of vbalsgrid6.ocx may be outdated. Make sure you are using the version of the control that was provided with your application.

Here's the vbalsgrid6.ocx in a zip format,

http://www.malwarebytes.org/forums/index.p...post&id=622

The file goes here: C:\Program Files\Malwarebytes




Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Edited by boopme, 17 April 2010 - 07:24 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 jailHackers2010

jailHackers2010
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 18 April 2010 - 12:04 PM

Yeah, it's XP Pro 2002 Service Pack 3.

btw, the Malwarebytes forum link you posted had an ellipsis in it so it doesn't work.
I found it though and used this: http://forums.malwarebytes.org/index.php?a...post&id=622 (hopefully that will display correctly)
Running scans now, will reply when done.

Thanks again.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:01 AM

Posted 18 April 2010 - 03:38 PM

OK ,Thanks I will fix that.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:01 AM

Posted 18 April 2010 - 03:46 PM

Download MSFT Visual Basic from here
http://www.microsoft.com/downloads/details...;displaylang=en

Instructions


Before starting the download, create a download directory on your computer. If your internet connection is less than 300K, it is recommended that you run the multi-part download by following the "More Information" link at the upper right, then clicking "Download Now."

Click "Download" to begin downloading the single download. When prompted by the download software, choose the option "Save this program to disk" and click OK. Then select the directory you created on your computer.

Run the file from the download directory. When prompted, select the same directory you created on your computer. You will be expanding the contents of the EXE into this directory.

Run SetupSP6.exe from the download directory. When you accept the terms of the electronic End User License Agreement (EULA) the setup software will replace the appropriate files in your Visual Basic 6.0 installation.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 jailHackers2010

jailHackers2010
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 18 April 2010 - 04:39 PM

ok, i see you wrote "copy/paste", but those directions may need to be updated.
(Should i attach my logs, or just paste them into the body of the post?
per this : http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
i would attach, but I have no attachments browse/upload dialog below my textbox.)


I've uninstalled all Java programs/update/JRE/SDKs, etc. from add/remove programs. However, after a reboot, I did notice javaw.exe and jusched(uler) in my process list. weird.
I have not installed the update 20 (most recent) yet.

I'm curious about why I should be installing MS Visual Basic 6.0. I don't have that installed? Is that related to something else?


I ran 1/2 a scan and it ran for an hour then froze, so i did a quick one, deleted the bad registry keys , then ran a full and deleted the bad application. the 2 logs are below:

Thanks,
jailHackers


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

4/18/2010 2:30:17 PM
mbam-log-2010-04-18 (14-30-17).txt

Scan type: Quick scan
Objects scanned: 126338
Time elapsed: 11 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

4/18/2010 5:26:42 PM
mbam-log-2010-04-18 (17-26-42).txt

Scan type: Full scan (C:\|)
Objects scanned: 424982
Time elapsed: 2 hour(s), 9 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\rcraig\Application Data\Move Networks\MoveMediaPlayer_07103010.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:01 AM

Posted 18 April 2010 - 07:23 PM

Hello. You have to copy/paste there is no attaching here.
We did not requemalware.

We did not request a DDS log and they do not get posted here.

Sorry the Visual basic was a replacement proceeedure fo the earlier one with the bad link.

I see we got a log good. it contained a BAckdoor/Bot ...a note about these.
This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.



If you want to continue cleaning....
Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.

><><>
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 jailHackers2010

jailHackers2010
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 20 April 2010 - 04:01 PM

Here's the log that found another rootkit. You'll see it was on my external in an old Fedora Core directory. Btw, I deleted about 1000 or so cookies from this pasted log.
The computer is running a lot smoother, but I have it almost permanently disconnected from the internet. I will probably reOS the windows partition soon.
Let me know if there's anything else I can do.

Thanks.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/20/2010 at 00:03 AM

Application Version : 4.35.1002

Core Rules Database Version : 4825
Trace Rules Database Version: 2637

Scan type : Complete Scan
Total Scan Time : 06:04:57

Memory items scanned : 269
Memory threats detected : 0
Registry items scanned : 6590
Registry threats detected : 0
File items scanned : 546294
File threats detected : 1063

Adware.Tracking Cookie
.atdmt.com [ C:\Documents and Settings\Office Test\Application Data\Mozilla\Firefox\Profiles\z7uq2bep.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Office Test\Application Data\Mozilla\Firefox\Profiles\z7uq2bep.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Office Test\Application Data\Mozilla\Firefox\Profiles\z7uq2bep.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Office Test\Application Data\Mozilla\Firefox\Profiles\z7uq2bep.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Office Test\Application Data\Mozilla\Firefox\Profiles\z7uq2bep.default\cookies.txt ]
.ehg-oreilly.hitbox.com [ F:\laptopRescue\Documents and Settings\Roger\Application Data\Sandbox\DefaultBox\user\current\Application Data\Mozilla\Firefox\Profiles\u2owkv94.default\cookies.txt.moztmp ]
.bfast.com [ F:\laptopRescue\Documents and Settings\Roger\Application Data\Sandbox\DefaultBox\user\current\Application Data\Mozilla\Firefox\Profiles\u2owkv94.default\cookies.txt.moztmp ]
.ehg-verizon.hitbox.com [ F:\laptopRescue\Documents and Settings\Roger\Application Data\Sandbox\DefaultBox\user\current\Application Data\Mozilla\Firefox\Profiles\u2owkv94.default\cookies.txt.moztmp ]
.ehg-verizon.hitbox.com [ F:\laptopRescue\Documents and Settings\Roger\Application Data\Sandbox\DefaultBox\user\current\Application Data\Mozilla\Firefox\Profiles\u2owkv94.default\cookies.txt.moztmp ]
.ehg-verizon.hitbox.com [ F:\laptopRescue\Documents and Settings\Roger\Application Data\Sandbox\DefaultBox\user\current\Application Data\Mozilla\Firefox\Profiles\u2owkv94.default\cookies.txt.moztmp ]
.overture.com [ F:\laptopRescue\Documents and Settings\Roger\Application Data\Sandbox\DefaultBox\user\current\Application Data\Mozilla\Firefox\Profiles\u2owkv94.default\cookies.txt.moztmp ]
F:\laptopRescue\Documents and Settings\Roger\Application Data\Sandbox\DefaultBox\user\current\Cookies\roger@insightexpressai[1].txt
F:\laptopRescue\Documents and Settings\Roger\Application Data\Sandbox\DefaultBox\user\current\Cookies\roger@insightexpressai[2].txt
F:\laptopRescue\Documents and Settings\Roger\Cookies\roger@media.adrevolver[1].txt
F:\laptopRescue\Documents and Settings\Roger\Cookies\roger@adrevolver[2].txt
F:\laptopRescue\Documents and Settings\Roger\Cookies\roger@advertising[1].txt
F:\laptopRescue\Documents and Settings\Roger\Cookies\roger@atdmt[2].txt
F:\laptopRescue\Documents and Settings\Roger\Cookies\roger@doubleclick[1].txt
F:\laptopRescue\Documents and Settings\Roger\Cookies\roger@ehg-dig.hitbox[2].txt
F:\laptopRescue\Documents and Settings\Roger\Cookies\roger@hitbox[2].txt
F:\laptopRescue\Documents and Settings\Roger\Cookies\roger@insightexpressai[1].txt

Trojan.Gromozon (RootKit)
F:\August_2007\usr\usr\src\kernels\2.6.16-1.2069_FC4-smp-i686\include\config\usb\sisusbvga\CON.H
F:\August_2007\usr\usr\src\kernels\2.6.17-1.2142_FC4-smp-i686\include\config\usb\sisusbvga\CON.H

#11 jailHackers2010

jailHackers2010
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 20 April 2010 - 04:02 PM

Oh, one thing to mention is that Chrome doesn't work at all, but firefox seems to be working ok. I'd prefer to use Chrome though. But like I said, I'll just reOS this soon anyways.

#12 Eric ~ Computer Guy

Eric ~ Computer Guy

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas, TX
  • Local time:05:01 AM

Posted 20 April 2010 - 04:19 PM

Oh, one thing to mention is that Chrome doesn't work at all, but firefox seems to be working ok. I'd prefer to use Chrome though. But like I said, I'll just reOS this soon anyways.


With that high of an infection rate, I'd say a low-level reformat and reinstall is best.

#13 jailHackers2010

jailHackers2010
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 20 April 2010 - 05:21 PM

Oh, one thing to mention is that Chrome doesn't work at all, but firefox seems to be working ok. I'd prefer to use Chrome though. But like I said, I'll just reOS this soon anyways.


With that high of an infection rate, I'd say a low-level reformat and reinstall is best.


By infection rate, what numbers are you referencing? The 1000/500k listed in the SAS log report?

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:01 AM

Posted 21 April 2010 - 02:54 PM

If you want to see if this can be cleaned,but I earlier mentioned the risk. Follow this:

We need a deeper look. Please go here....
Preparation Guide ,.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users