Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dumbfounded. :[


  • Please log in to reply
6 replies to this topic

#1 ZlobIsFun

ZlobIsFun

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 24 July 2010 - 01:20 PM

I downloaded this file: hXXp://www.mediafire.com/?jm3nmnzttznmqo4
EDit altered dangerous link~~boopme
Thanks boopme, forgot to do it myself. :[

WARNING DO NOT RUN THIS FILE.

After running it nothing happened so I ended the process. Then "A" with a line above it was attempting to access a protected file, all of the sudden winlogon.exe was being spammed. I rebooted and now explorer.exe was possibly replaced, now it just says editing the settings for win login or something, I ended that explorer.exe immediately. What do I do? What do I run? Help me please! :[

There are multiple winglogon.exes right now, and I disabled the start up items.

" HKLM\Software\Microsoft\Windows\Currentversion\Run "

" HKCU\Software\Microsoft\Windows\Currentversion\Run "

File directories I'm unsure of
" C\Windows\System32\winlog\winlogon.exe"

I'm getting to my stuff with task manager. It's kind of sad how they've hi-jacked my explorer.exe. I can't restore either, the restores are there but it fails. I need to delete the winlog folder and restore my explorer.exe :[

I tried to delete the winlog folder, but the fake Winlogon was running. I tried to force shut that down but I got BSOD. I then tried to delete it the second I ended it, but that didn't work.

I don't know how to get the real explorer.exe. :[ How did this happen so fast? It only took a minute.. I feel defeated. Hopefully this will be resolved within the week.

Like the, what, 10th update? But, everything seems fine. Just, explorer is hijacked and there is a fake winlogon, and A with a line above it is attempting to access protected files unless I end explorer.exe. ( there are two instances. )
Of course there may be something wrong behind the lines, and it could be a matter of time before things boom.
I tried replacing the explorer.exe with the one from the service pack files. The same ' Attempting to personalize settings '
C:/windows/system32/winlog/winlogon.exe

I really want to run scans, and I most likely will without a professional's help if I don't get any response within the next day.
I understand computers well enough, and I can program in two languages.

EDIT: Happy to announce MBAM found something.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4345

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/24/2010 3:19:24 PM
YES

Scan type: Flash scan
Objects scanned: 95164
Time elapsed: 1 minute(s), 0 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\WINDOWS\system32\Winlog\Winlogon.exe (Backdoor.Bot) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{fjp17780-5167-566c-3k25-433a1c05hjyv} (Generic.Bot.H) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hkcu (Backdoor.Bot) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\policies (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hklm (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\policies (Backdoor.Bot) -> No action taken.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\Winlog\Winlogon.exe (Generic.Bot.H) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\xxxyyyzzz.dat (Malware.Trace) -> No action taken.

Awesome! It's all stopped.

I clapped my hands when I noticed that the task bar loaded, and then the icons. Pretty intense when you think you're going to have to reinstall again.
Plus I just bought this awesome new game.
But the first few minutes I noticed weird hang times and web pages saying 'finished' when they were just in text or most images weren't loaded. Waited 6 minutes, it's gone now, ran a scan and no more infected files were found. Hopefully it's over, we'll find out. Don't close this just yet please, give it a day or three.

Edited by ZlobIsFun, 24 July 2010 - 03:46 PM.


BC AdBot (Login to Remove)

 


#2 ZlobIsFun

ZlobIsFun
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 24 July 2010 - 10:15 PM

Woah, how did this get installed without my permission!?

Posted Image

It did this for any program I tried to open. Thankfully MBAM removed it with ease.

The scan that fixed this.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4345

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/24/2010 10:10:49 PM
mbam-log-2010-07-24 (22-10-49).txt

Scan type: Full scan (C:\|)
Objects scanned: 11967
Time elapsed: 3 minute(s), 43 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\Documents and Settings\Administrator\Local Settings\Application Data\eropmyney\jfwfdkrtssd.exe (Trojan.Dropper) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fbmbobdi (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fbmbobdi (Trojan.Dropper) -> Quarantined and deleted successfully.

I just got this.

Files Infected:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AJAIY1HC\update[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.

Okay, so I guess this means I'm infected with something MBAM can't handle. Now I really do need help. :[

Edited by ZlobIsFun, 24 July 2010 - 11:06 PM.


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:45 AM

Posted 25 July 2010 - 08:45 PM

Hello and welcome... Your first log showed some Backdoor.Bots,most likely responsible for the downloadres in the next log. First I must give you this advice on what was found.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.




To clean you need to do all the steps as some pertain to your issue.. If you need info on reformatting,ask me.
Please follow our Removal Guide here Remove Antivir Solution Pro
You will move to the Automated Removal Instructions

After you completed that, post your scan log here,let me know how things are.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 ZlobIsFun

ZlobIsFun
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 26 July 2010 - 06:40 PM

I already posted the log, which was:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4345

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/24/2010 10:10:49 PM
mbam-log-2010-07-24 (22-10-49).txt

Scan type: Full scan (C:\|)
Objects scanned: 11967
Time elapsed: 3 minute(s), 43 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\Documents and Settings\Administrator\Local Settings\Application Data\eropmyney\jfwfdkrtssd.exe (Trojan.Dropper) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fbmbobdi (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fbmbobdi (Trojan.Dropper) -> Quarantined and deleted successfully.

I think this antivir thing was in while the winlogon was in at the same time, I've been running full scans every time I'm off my computer.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:45 AM

Posted 26 July 2010 - 07:27 PM

OK so thise logs were after RKill.
Now we need a safe mode scan

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 ZlobIsFun

ZlobIsFun
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 28 July 2010 - 03:54 AM

I can't download anything right now, in the next week or two. I will be able to. I'm capped and I won't be using my computer until then.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:45 AM

Posted 28 July 2010 - 10:01 AM

Ok, this topic will be open.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users