Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Jammed, but good.


  • Please log in to reply
7 replies to this topic

#1 Post

Post

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 18 August 2010 - 02:41 PM

I'm running XP Pro Version 2002 on a Intel P4 W/ 1.80GHz & 1.5 GB of RAM

I've become infected with the google-analytics. It continues to redirect my Mozilla 1.7.12 browser to
a blank screen that never quite finishes loading.

I downloaded the latest version of Mozilla but to no avail. I even downloaded IE so that I could search the web... this works, sort'a.

Also, when I try to kill a process, I get the message

"Task Manager has been disabled by your administrator."

I thought I was the administrator, I am the only user and have no pass/words to access the system. I have no idea how correct this.


I found and placed these on the ignorelist of Hijack but it only seemed to work for a day or so.

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\host32.exe,
04 - HKLM\...\Run:[Vsiyuze]rundll32.exe"C:\WINDOWS\elufeqacol.dll",Startup


Can someone help me with these issues?, Please?
Thank you in advance for your help with this...

Post

Edited by hamluis, 18 August 2010 - 03:02 PM.
Moved from XP forum to Am I Infected ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:35 PM

Posted 18 August 2010 - 04:00 PM

Hello, please run these.
Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.
Before you save it rename it to say zztoy.exe


alternate download link 1
alternate download link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.


TASK MGR DISABLED

This step involves making changes in the registry. Always back up your registry before making any changes.

Go to Start Run and type: regedit
Click OK.
On the left side, click to highlight My Computer at the top.
Go up to File Export
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put RegBackup.
Choose to save it to C:\
Click save and then go to File Exit.

Or you can download and use ERUNTwhich is an excellent free tool that allows you to to take a snapshot (backup) of your registry before making changes and restore it when needed.

Click on the link below:
http://www.kellys-korner-xp.com/xp_tweaks.htm
Scroll down to #275 and click "Lift Restrictions - TM, Regedit and CMD" in the left column. Go to File, choose "Save page as" All Files and save regtmcmdrestore.vbs to your desktop. Double-click on that file to allow the script to run and reboot when done. Since the script modifies certain registry settings your anti-virus package may warn you about it. Ignore the warning and allow it to run.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Post

Post
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 28 August 2010 - 04:09 PM

Sorry it took so long to get back to you. I'm still unable to update MBAM and only get a blank screen when I click on the "here" in your insturctions. I hope this information is of value and will wait for your responce.

Again, Thank you.

------

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 1
Internet Explorer 6.0.2800.1106

8/28/2010 2:55:23 PM
mbam-log-2010-08-28 (14-55-23).txt

Scan type: Quick scan
Objects scanned: 105860
Time elapsed: 5 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{8aa87205-8d5c-4e7d-8960-42261b36394c} (Spyware.Sters) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pragmatpdipmbwxb (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\pragma (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.pox (Rogue.FixTool) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\pofile (Rogue.FixTool) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2b6dfe06-cbd1-422a-abeb-aa87673e5668}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.59 85.255.112.218 -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\PRAGMAtpdipmbwxb (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01IVQ3IJ\usa1[2].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAtpdipmbwxb\pragmabbr.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAtpdipmbwxb\PRAGMAc.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAtpdipmbwxb\PRAGMAcfg.ini (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAtpdipmbwxb\PRAGMAd.sys (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAtpdipmbwxb\pragmaserf.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAtpdipmbwxb\PRAGMAsrcr.dat (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kr_done1 (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\King\Local Settings\Temp\pragmamainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\King\Local Settings\Temp\PRAGMAa975.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\PRAGMAda58.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\AB.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\AD.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\AE.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\AF.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\King\file.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\King\Local Settings\Temp\wscsvc32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:35 PM

Posted 28 August 2010 - 07:31 PM

Hello ,yes this was helpful..
Did you run ATF and SAS?

First once cleaned you need to update
Windows 5.1.2600 Service Pack 1
Internet Explorer 6.0.2800.1106
You will need to get to SP 3 And at least IE7.. The security holes in what you have are dangerous.

Now, we found these,(Backdoor.Bot), so i need to give you thios advice next.
One or more of the identified infections is a backdoor trojan/Bot.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Post

Post
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 29 August 2010 - 04:07 PM

Windows Task Manager is now up and running. Thank you.

I can get to the screen for Safe Mode using <F8> but the keyboard is dead,
so I have to do a cold boot.

I never! do banking on the computer. I still write checks and stop by the
bank in person... still, thank you for the warning. I would like to try
to kill the miscreant files if possiable.


I'm still infected with the google-analytics and it continues to redirect my
Mozilla 1.7.12 browser to a blank screen that never quite finishes loading.



I've downloaded Malwarebytes Anti-Malware 1.46
and renamed it zztoy.exe as instructed.

It, (Malwarebytes Anti-Malware 1.46),
won't update its program files.

When I click on the "here" in your
instructions I get the error message:

www.malwarebytes.org could not be found. Please check the name and try again.
"OK"

On the other hand SUPERAntiSpyware updates its files on install but won't
allow me to manually update them... just strange...

These are the results from this last run but remember, the Malwarebytes
didn't/won't update the program files.

==============================
==============================

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/29/2010 at 02:05 PM

Application Version : 4.42.1000

Core Rules Database Version : 5410
Trace Rules Database Version: 3222

Scan type : Quick Scan
Total Scan Time : 00:15:14

Memory items scanned : 368
Memory threats detected : 0
Registry items scanned : 1805
Registry threats detected : 3
File items scanned : 4960
File threats detected : 8

Trojan.DNS-Changer (Hi-Jacked DNS)
HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{2B6DFE06-CBD1-422A-ABEB-AA87673E5668}#NAMESERVER

Backdoor.Bot[ZBot]
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7}
HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7}

Adware.Tracking Cookie
.doubleclick.net [ C:\Documents and Settings\King\Application Data\Mozilla\Profiles\default\hf1c05ag.slt\cookies.txt ]
C:\WINDOWS\system32\config\systemprofile\Cookies\system@businessfind[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@doubleclick[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@clicksor[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@advertise[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@myroitracking[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@bizzclick[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@www.businessfind[1].txt

==============================
==============================

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 1
Internet Explorer 6.0.2800.1106

8/29/2010 2:21:52 PM
mbam-log-2010-08-29 (14-21-52).txt

Scan type: Quick scan
Objects scanned: 105711
Time elapsed: 5 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

==============================
==============================

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:35 PM

Posted 29 August 2010 - 09:37 PM

OK, let's try it this way.
Reboot into Safe Mode with Networking
How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.



OR..... you will need access to another computer that has a connection.
From there save mbam-setup.exe to a flash,usb,jump drive or CD. Now transfer it to the infected machine, then install and run the program.
If you cannot transfer to or install on the infected machine, try running the setup (installation) file directly from the flash drive or CD by double-clicking on mbam-setup.exe so it will install on the hard drive.
***
Manually Downloading Updates:
Manually download them from HERE and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Post

Post
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 05 September 2010 - 01:01 PM

I do believe your right. After about 10 min my system is not letting me open
apps or even files and just in the last couple of days is now locking up...

I've bought a new hard drive and altho I don't want to loose the info from my
current system, I've come to the realization,,, its time.

Thank you again, and wish me luck...

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:35 PM

Posted 05 September 2010 - 01:15 PM

Good luck.. You can save some info.
2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users