Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Skateboarder" hijack - trojan - keylogger


  • This topic is locked This topic is locked
2 replies to this topic

#1 JayKaye

JayKaye

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 23 April 2011 - 11:23 PM

I have been hammering away at this nasty bug for 4 days now with little success!!

XP Home(32) SP2 running with Nvidia Forceware Firewall and Avast Anti-Virus.

Problem started with slow running machine. Thought that it needed good cleaning including per "friends" at Microsoft a "clean boot" to clean out old restore points. Found that I could not get the restore points removed using selective start-up and reloading original boot.ini. The system just keep coming back with new restore points even though "system restore was turned off. Tried to delete restore point with Malwarebytes' Anti-Malware tools. The restore points kept coming back. Also many "memory error screens" were popping up.

Then tried to start in safe mode. Found I had a new user at log in. Aviatar of a "skateboarder" with user name "Administrator" (My Admin name is different and unique.

1.Ran Malwarebytes' Anti-Malware scan found file "cryptsvc" and "userint.exe" in register. Deleted them. they came back several time, but I think I had finaly gotten rid of them. Also I turned off the Window Office language/speech app "ctfmon.exe" as it kept interrupting in the tasksbar, read somewhere it might be infected, and I don't use need it.

2.Rebooted and then things got ugly. First the was a CMD.COM script from a file "SDRA64.EXE" that started to run. I think I killed it in time.

3.Then I found a file in reg named crypt.exe. I killed it.

4. Then when windows opened I got "Windows needs to be activated" box and now a nag screen. (Called M/S and they said it was a valid install number, but I didn't reactivate because I know it is bogus)

5. My Avast A/V was dead. Reinstalled it several time and finally got it to work, it think.

6. My Firewall went dead. Window would not let me turn it back on. Finally got it back working also.

I have run: Windows Safety Scanner, Malwarebytes A/V, Spybot S/D, Avast A/V,and Rkill.exe, several times. All show system clean. None will work at boot time though.

And my other user "Skateboarder" it still showing up when I open in safe mode. I still can not delete or turn off system restore. I am still getting Windows activation nag screen. I can not get any A/V to run at boot. So I know I am still infected. I have google this bug and don't seem to find it. Does this look familiar?


I am stuck and exhausted (I am an old guy). Any help is appreciated.

Jay ( R O H D D "at" H o T m A $ L )

Attached are the DDS.Txt, Attach.Txt, Gmer_rootkit_scan.log, and Hijackthis.log files

Attached Files



BC AdBot (Login to Remove)

 


#2 eddie5659

eddie5659

  • Malware Response Team
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 AM

Posted 02 May 2011 - 03:14 PM

Hiya and welcome to BleepingComputer :)

Sorry for the late reply, but these forums are very busy..

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.



Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Please include the MBAM log and, SUPERAntiSpyware Scan Log and a fresh HijackThis log in your next reply

eddie

#3 eddie5659

eddie5659

  • Malware Response Team
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 AM

Posted 10 May 2011 - 01:02 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users