Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.Delf.uv; Fraud.CleanUpAntivirus; Fraud.WindowsProtectionSuite; Microsoft.Windows.RedirectedHosts


  • This topic is locked This topic is locked
16 replies to this topic

#1 anneke

anneke

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 10 November 2010 - 02:34 PM

Hallo, I hope I'll be able to do this in english.... My laptop has been infected with 4 different malwares or Trojans. I have run spybot three times and of course it can detect but not delete Win32.Delf.uv; Fraud.CleanUpAntivirus; Fraud.WindowsProtectionSuite and Microsoft.Windows.RedirectedHosts! I Hope I can get some help of how to get rid of those malwares without having to configurate my laptop.
Best Regards Anneke

Edited by anneke, 10 November 2010 - 02:36 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:48 AM

Posted 10 November 2010 - 03:04 PM

Hallo Anneke,

Posted Image

What language please? As long as I can understand the dialogue between us, then I can read the information I need without a problem. :thumbup2: Please tell me what else you've run besides Spybot so I know what we need to do. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 anneke

anneke
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 11 November 2010 - 08:25 AM

Hallo Thea, I haven't done much else...I have run Avira Antivir control, but that didn't even recognize the malware...maybe because it's only freeware? Then, at the university server where I'm having my emailaccount they have recently offered McAfee-Virenscanner 8.7i 20100713 (Windows) for all users, which I downloaded and attempted to install yesterday. However, it seems that the malwares or viruses block the installation and de-installation of any software. Of course I also attempted to de-install one of the malwares (calling itself Smart engine and having the pad C:\Dokumente und Einstellungen\Aneke\Application Data\Smart Engine) but de-installing is impossible, the programm doesn’t react.
Anneke :mellow:

Edited by anneke, 11 November 2010 - 08:31 AM.


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:48 AM

Posted 11 November 2010 - 09:47 AM

Hallo,

Okay, thank you for that Anneke. :thumbup2: Just so you know, Avira is one of the very best out there. I use it on my own computer. :) It is better than a lot of paid programs and I trust it.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to anneke.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 anneke

anneke
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 11 November 2010 - 05:30 PM

Hi Tea
Now I have run Combofix and send you the log!!!It went well the first time :thumbsup:
I have one more question though – I have one external harddisk which was connected yesterday, but which I have disconnected today. It’ll be infected as well won’t it? Should I have left it connected to my laptop while running combofix? What do I do next?
Anneke

Attached Files



#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:48 AM

Posted 11 November 2010 - 06:00 PM

Hallo Anneke,

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS.

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 anneke

anneke
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 11 November 2010 - 06:14 PM

Thanks a lot Tea for all the information...I do all my bankstuff and pay with Visa etc over this computer...it might have been infected for a longer period of time right? In fact I have two external hard-desks as backups and I worry that they are infected as well? But I better wait to check that right?? Can I do that with Spybot first and the Combofix afterwards as well? Is it possible to clean the laptop first in order to safe certain things and then reformat it later?? The OS is windows XP? If the laptop is reformated is it then 100 % safe???
Finally I have a USB stick (store and go) with pdf’s that I was supposed to print out tomorrow in the print-shop, shall I throw that away?
Thanks again for your help I’m really grateful for your help!!!
Greetings Anneke

#8 anneke

anneke
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 11 November 2010 - 06:17 PM

Thanks a lot Tea for all the information...I do all my bankstuff and pay with Visa etc over this computer...it might have been infected for a longer period of time right? In fact I have two external hard-desks as backups and I worry that they are infected as well? But I better wait to check that right?? Can I do that with Spybot first and the Combofix afterwards as well? Is it possible to clean the laptop first in order to safe certain things and then reformat it later?? The OS is windows XP? If the laptop is reformated is it then 100 % safe???
Finally I have a USB stick (store and go) with pdf’s that I was supposed to print out tomorrow in the print-shop, shall I throw that away?
Thanks again for your help I’m really grateful !!!
I'll sleep on it tonight
Greetings Anneke

Edited by anneke, 11 November 2010 - 06:18 PM.


#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:48 AM

Posted 11 November 2010 - 06:28 PM

Hallo Anneke,

.I do all my bankstuff and pay with Visa etc over this computer..

Please be careful then....if you want to change your passwords, do it from a CLEAN computer, not the infected one. If you do, then it might get stolen.

Can I do that with Spybot first and the Combofix afterwards as well?

Don't bother with Spybot, and I'll be more than happy to help you with ComboFix again. :)

Is it possible to clean the laptop first in order to safe certain things and then reformat it later??

Yes, but PLEASE don't wait very long to do this. The infection won't affect things like pictures, music, and most documents, so they should be safe to save.

If the laptop is reformated is it then 100 % safe???

Yes, and with something like this, it's really the only way I could promise you a clean computer.

Finally I have a USB stick (store and go) with pdf’s that I was supposed to print out tomorrow in the print-shop, shall I throw that away?

No need to throw it away. Scan it, save your PDFs, but I would reformat it as soon as is possible. That should be enough. :)

Please let me know if there's anything else I can help you with. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 anneke

anneke
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 12 November 2010 - 03:51 AM

Thanks Tea :wink: First how can I clean my computer now? Can you help me? That would be really nice of you! How can I do it and stay in contact with you ??? I havn't got any other pc here? Shall I do it off-line by somebody who has a clean computer? When shall I scan the harddesks with combofix? combofix still saved on the C:drive so I suppose I can just use it again right?. Yesterday I ran spybot again and Win32.Delf.uv; Fraud.WindowsProtectionSuite; Microsoft.Windows.RedirectedHosts was gone only Fraud.CleanUpAntivirus was still there.....
The next problem is that I'm so bad with computers..I never reformated my pc myself !!! Is it difficult?
The last problem is that the L. drive with all my music is overloaded and went down a month a go...I can't get to it, when I try it's said that the drive isn't formated...maybe that has to do with the infection as well. I thought it was just because there was too little storage memory left, and since I'm in the middle of my exams (typical) I thought I just ignore the problem until I'm finished since the rest of the laptop works ok.

Mybe I can take my laptop to somebody tomorrow and follow your instructions from another online computer...or I need to download a program from you don't I??? I can’t really figure how to clean the laptop, without getting infected right away! I’ll have to stay offline!
Lots of Greetings and thanks Anneke :thumbup2:

#11 anneke

anneke
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 13 November 2010 - 03:32 AM

Dear Tea, maybe my last post was a bit confused :o ...I was confused. I’d be really grateful if you could help me clean my machine for the backdoor trojans (for the reformating I find somebody here), so I can save some of the stuff on it. As I told you I ran spybot again and Fraud.CleanUpAntivirus was still found.
Lots of greetings anneke :)

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:48 AM

Posted 13 November 2010 - 11:15 PM

Hallo Anneke,

I apologize. I took yesterday off and rested. Your post wasn't confusing at all. You're doing just fine. :thumbup2:

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 anneke

anneke
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 14 November 2010 - 10:33 AM

Dear Tea, thanks for your mail and more help! I hope you enjoyed your day’s rest!
I have now scanned my maschine, plus external harddisk, plus store and go usb stick with Malwarebytes. Because there were no infected files I did it twice, first as quick scan and second time in the manual mode...both goes were negative, I’ll send you both logs!
Thanks a lot :thumbsup:
Anneke

First Scan:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Datenbank Version: 5111

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

14.11.2010 14:07:11
mbam-log-2010-11-14 (14-07-11).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 160037
Laufzeit: 8 Minute(n), 24 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)

Second scan:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Datenbank Version: 5111

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

14.11.2010 16:25:04
mbam-log-2010-11-14 (16-25-04).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|F:\|M:\|W:\|)
Durchsuchte Objekte: 220514
Laufzeit: 45 Minute(n), 11 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:48 AM

Posted 14 November 2010 - 12:57 PM

Hallo Anneke,

Yes, thank you so much....and you're welcome! :)

That's good on those scans. :thumbup2: One more thing to ask you. Did you do the same with ComboFix? I want to be wure you scanned with the USB and External in, just to be sure. If you did then I think the infection is gone. Just please please be sure to watch your accounts, especially your bank account, and change your passwords.

Thank you for being so patient. The time difference makes it hard to be here at the same time to do this...you're like 6 or 7 hours ahead of me, I think. We'll get it. :thumbsup:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 anneke

anneke
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 14 November 2010 - 01:40 PM

I'm the one who has to thank :) .....you have been so patient with me.
I haven't done the same with combofix...I'll do that later tonight and send you the results....
I have closed my onlinebanking and paypal account and I'll get another visacard, so I'll be ok!!! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users