Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HDD Plus Malware - Can't Remove


  • This topic is locked This topic is locked
20 replies to this topic

#1 Oskee

Oskee

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 08 December 2010 - 10:47 PM

Hi

I got the HDD malware earlier and found this post on bleeping computer. I thought I got rid of it by following the steps:

http://www.bleepingcomputer.com/virus-removal/remove-hdd-plus

Below is the Malwarebytes log that found it.

However, I noticed a strange item still in my start up menu and the HDD is back! I tried running the same steps above again and it is not finding it this time!! Can you help? I am running vista.

Log below (that cleared it the first time):

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5274

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

12/8/2010 4:58:34 PM
mbam-log-2010-12-08 (16-58-34).txt

Scan type: Quick scan
Objects scanned: 150426
Time elapsed: 4 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11017835 (Trojan.FakeAlert) -> Value: 11017835 -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Schutte\AppData\Local\Temp\11017835.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:51 PM

Posted 08 December 2010 - 11:58 PM

Hello and welcome.
Download FakeAlert Stinger and save to desktop.
Double-click the Stinger application you saved to your desktop.

NOTE: If you are a Windows 7 or Windows Vista user, right-click and select Run As Administrator

If a security warning is displayed, click Yes or Run.
By default the C: drive is scanned. Click Add or Browse to add additional drives/directories.
Click Scan Now. By default, Stinger repairs all infected files found.



Please perform a scan with Eset Online Antiivirus Scanner.
This scan requires Internet Explorer to work. Vista/Windows 7 users need to run Internet Explorer as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Oskee

Oskee
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 09 December 2010 - 08:14 AM

I have an older version of stinger on my desktop - this version you are having me download appears to be an MS-DOS Application? Is that correct?

It appears to skip right over the file that appears to be the malware that is showing up in my start up menu. That file is "microsoftware" by Micro Corp?

I will run both unless I hear back from you prior to - however, wanted to see if this was correct. Thanks for your help!!

#4 Oskee

Oskee
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 09 December 2010 - 08:17 AM

The file that is in my start up is in my temp files and is kXVjsxrfbj.exe - it is active in my start up. But after logging on today the fake alert malware has not popped up yet?

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:51 PM

Posted 09 December 2010 - 11:18 AM

this version you are having me download appears to be an MS-DOS Application? Is that correct?

YES.
I cannot find a refernce to MiCro Corp tho. Let's wait till after the tool below is run for Stinger.

This kXVjsxrfbj.exe is a TDDS infection,we will run the tool below.
This will steal your passwaords and look for financial info.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.


Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Oskee

Oskee
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 09 December 2010 - 12:27 PM

Eset got it and removed it:

:\Users\Schutte\AppData\Local\Temp\kXVjsxrfbJ.exe Win32/TrojanDownloader.Prodatect.AU trojan cleaned by deleting - quarantined
C:\Users\Schutte\AppData\Local\Temp\tmp3B0F.tmp Win32/TrojanDownloader.Prodatect.AU trojan cleaned by deleting - quarantined
C:\Users\Schutte\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\62f39f75-28081a0e multiple threats deleted - quarantined

It appears to be cleaned now and is not in my start up. I will run the other TDSS also.

How does it steal passwords? By using key stroking software?

#7 Oskee

Oskee
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 09 December 2010 - 12:35 PM

TDSS found nothing. What else should I do? I am a bit concerned about the password stealing - however, that file was only on the computer for a little over 12 hours. Can I use this computer now if we think its clean to change passwords?

Also - I believe whenever Java loads is when I get a virus and an error message from Java pops up. Could my Java not being up to date be the cause?

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:51 PM

Posted 09 December 2010 - 01:04 PM

After these updates if any then you can change the passwords.

What version of JAVA is running?
Go into Control Panel> Programs > Uninstall a Program.
Go down the list and tell me what Java applications are installed and their version.
Same with Adobe applications.


Zbot is a family of password stealing trojans. Win32/Zbot also contains backdoor functionality that allows unauthorized access and control of an affected machine.
After installation,Zbot attempts to contact a remote site via port 80 in order to download additional instructions (which may be in the form of a configuration file) and/or arbitrary files to execute.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fZbot

Edited by boopme, 09 December 2010 - 01:08 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Oskee

Oskee
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 09 December 2010 - 01:09 PM

Thanks - now you have me scared! lol. Let me know what you think I should do.

Here are the versions of Java:
Java TM 6 Update 3
Java TM 6 Update 7
Java TM 6 Update 13
Java TM 6 Update 13 (64 bit)

Adobe:
Adobe Flash Player 10 Active X
Adobe Reader 9.3.2

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:51 PM

Posted 09 December 2010 - 01:18 PM

Hello Adobe is good..
Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Microsoft: ‘Unprecedented Wave of Java Exploitation’
Drive-by Trojan preying on out-of-date Java installations
Ghosts of Java Haunt UsersPlease follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows" (32-bit) or "Windows x64" (64-bit).
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "I agree to the Java SE...License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Oskee

Oskee
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 09 December 2010 - 01:20 PM

Will do ASAP! Thanks! Still have me scared with the password issue! I use the computer for general log in to my banking and paying credit cards and other bills.

#12 Oskee

Oskee
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 09 December 2010 - 01:23 PM

That link has the web all in Chinese? I can't get it to change??

#13 Oskee

Oskee
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 09 December 2010 - 01:31 PM

Strange - now it is is English. I will download

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:51 PM

Posted 09 December 2010 - 01:43 PM

Maybe we should be very safe and post a DDS log and be certain nothing is hiding here. It will be a couple days for a reply. Financials are nothing to play with.

We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Include a link to this topic there.
http://www.bleepingcomputer.com/forums/topic365838.html/page__gopid__2049421#entry2049421

Let me know if that went well.

Edited by boopme, 09 December 2010 - 01:43 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Oskee

Oskee
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 09 December 2010 - 01:50 PM

Ok - I ran the Java updates. I just had to change the country up top from China to the US to get English.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users