Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Attack


  • This topic is locked This topic is locked
2 replies to this topic

#1 desmondang1109

desmondang1109

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 28 June 2006 - 05:46 AM

Hi, my screen suddenly turn black yesterday and there a warning with an red "X" icon that keep popping out on the task bar that says

" Your Computer is in Danger!
Windows Security Center have detected spyware/adware infection!
It is strongly recommended to use special antispyware tools to prevent date loss
Click here to install the latest protection tools! "

then it install a program Brave Sentry (Which i have already uninstall) and now my notepad.exe and i can't install any exe application as well, once i connect to my internet, my mcafee will detect mass maill being sent out (about 5-10 mail in 30 second). everytime i use my internet explorer, it will experience error and close by itself.

Can someone help me to take a look at hijackthis to help. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 5:52:38 PM, on 6/28/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\8af60a9c.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Windows\xpupdate.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\McDash.exe
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
C:\Program Files\HJT\HijackThis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [8af60a9c.exe] C:\WINDOWS\System32\8af60a9c.exe
O4 - HKLM\..\Run: [_zskdsjaxs^jiqbihv[d50inkrwksz_] c:\windows\system32\_zskwrkni05d[vhibqij^sxajsd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\testtestt.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\testtestt.exe
O4 - HKLM\..\RunOnce: [Startup] C:\DOCUME~1\DADCOM~1\LOCALS~1\Temp\ustart.exe
O4 - HKLM\..\RunOnce: [Startup] C:\DOCUME~1\DADCOM~1\LOCALS~1\Temp\ustart.exe
O4 - HKLM\..\RunOnce: [Winnt32RunOnceWarning] user.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [8af60a9c.exe] C:\Documents and Settings\DAD Computer\Local Settings\Application Data\8af60a9c.exe
O4 - HKCU\..\Run: [_zskdsjaxs^jiqbihv[d50inkrwksz_] c:\windows\system32\_zskwrkni05d[vhibqij^sxajsd.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://www.turfclub.com.sg/web/Files.nsf/L...le/ticker.class
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn.hkjc.com/BetSlip/object/HKJCSecKey.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:41 AM

Posted 28 June 2006 - 09:37 AM

Hello and welcome to BC :thumbsup:
I am sorry to be the bearer of bad news, but in addition to BraveA trojan, you have various trojans with backdoor & rootkit abilities, and I am not surprised because you are using an unpatched version of XP. Trojan-Proxy.Win32.Xorpix.Fam is one of the dangerous trojans you have.

If you are on a network, separate this machine from the rest of the network and disconnect it from the internet immediately until it's cleaned.

Since you are using an unpatched version of Windows, it would be futile to try to clean it. Before attempting to remove malware, it is CRITICAL that you update to Service Pack 1a, so we are both not wasting our time.
An unpatched Windows XP will get re-infected in minutes on the net, and we will never finish.
Get SP1a here : http://www.microsoft.com/windowsxp/downloa...p1/default.mspx
You should also get SP2, but NOT NOW, rather only after your machine is clean. Doing so before your computer is clean can cause Windows to become unstable.

AFTER updating your machine to SP1a, post a fresh HijackThis log if you wish to attempt to clean it.

#3 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:41 AM

Posted 02 July 2006 - 12:50 PM

Due to lack of response, this thread will now be closed. If you need this topic reopened, please PM me with the address of the thread.and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users