Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blended Stealth Infection Only Identified With Bps Remover


  • Please log in to reply
1 reply to this topic

#1 E247

E247

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 13 July 2007 - 04:09 PM

HI Peeps!

New to this site so please forgive any protocol bleepers!

ok any thoughts or help would be gr8ly appreciated! oh and btw my spelling is attrocious.

The machine is amd64 2800 1024 ram running XP-home SP2, and sits behind Netgear router connected to 2Gig ADSL .

I have run the normal tools re: AVG, AVG Spyware, Adaware, superantispyware, trojan hunter, spybot Search&Destroy prevx 2.0 the only tool that has picked up anything is BulletpProof spyware remover which initially picked up Achilies

hav used root kits smitfraudfix SDfix, Huy32, Combofix & Rustbfix. smitfraud detected xpdt, huy32, pe386 & lzx32

when I thought the machine was clean rescanned with BPS Remover only to find the infection was worse. and seems to reinfect when connected to internet attaching itself to svchost process and gradually hogging 98% processor while commincating in stealth mode over the web and shuting down windows firewall and antivirus as well as disabling regedit and other system functions and corrupting drivers.

BPS Remover scan results

Block-checker
Block-checker is a program which is used to check if your frInternet Explorernds are blocking you on MSN, Yahoo or AOL. This program hijacks your messenger services by automatically sending messages such as ;I know who;s blocking me on MSN because I use http://www.block-checker.com;. It also adds itself to the firewall exclusion policInternet Explorers.

Hkey_local_Machine/Software/Microsoft/Current Version/internet Settings/p3p/history/Bfast.com

Sytemprocess
oriented spyware that downloads and displays advertisements in a popup window while a user is browsing the Web

Hkey_local_Machine/Software/Microsoft/Current Version/internet Settings/p3p/history/qksrv.net

CoolWebSearch is a wide range of browser redirection tools. All variants redirect you to specific Web sites.

Hkey_Current_user/Software/Microsoft/Current Version/internet Settings/ZoneMap/Domains/coolwebsearch.com

Hkey_Current_user/Software/Microsoft/Current Version/internet Settings/ZoneMap/Domains/coolwebsearch.com=*

Hkey_Current_user/Software/Microsoft/internet Explorer/Main=Use Custom Search URL

Uncategorised HiJacker
A hijackjer is is software that resets your browser's settings to point to other sites. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.

Hkey_Current_user/Software/Microsoft/Current Version/internet Settings/ZoneMap/Domains/xxxtoolbar.com
Hkey_Current_user/Software/Microsoft/Current Version/internet Settings/ZoneMap/Domains/xxxtoolbar.com=*
Hkey_Current_user/Software/Microsoft/Current Version/internet Settings/ZoneMap/Domains/pluginaccess.com
Hkey_Current_user/Software/Microsoft/Current Version/internet Settings/ZoneMap/Domains/pluginaccess.com=*

Surveil
Surveil logs all system activity. The person who installed it can then watch all the logged activity.

HkKey_Classes_root/.zlg
HkKey_Classes_root/.zlg
HkKey_Classes_root/.zlg=Original Extension

Downloader-ACC
A Trojan Horse portrays itself as something other than what it is at the point of execution. While it may advertise its activity after launching, this information is not apparent to the user beforehand. A Trojan Horse neither replicates nor copies itself, but causes damage or compromises the security of the computer. A Trojan Horse must be sent by someone or carried by another program and may arrive in the form of a joke program or software of some sort. The malicious functionality of a Trojan

Hkey_Current_user/Software/Microsoft/internet Explorer/URLSearchHooks

Ridnu.B is a worm that spreads by copying itself to other drives.

Hkey_Current_user/Software/Microsoft/Current Version/Policies/system=DisableRegistryTools

VirusHeal is a misleading application that simulates detection of threats on the compromised computer.

Hkey_local_Machine/software/Microsoft/RFC1156Agent/CurrentVersion/Parameters=TrapPollTimeMilliSecs

Prefetch.Virus
is a self-replicating virus that does not alter files but resides in active memory and duplicates itself. Worms use parts of an operating system that are automatic and usually invisible to the user. It is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks.

C:/WINDOWS/PREFETCH/NTVDM.EXE-1A1QA423.PF

Zhelatin.ch
is an email worm is a Windows PE EXE file. The worm components vary from 7KB to 93KB in size

C:/WINDOWS/System32/SPORDER.DLL

Achilies
is a self-replicating virus that does not alter files but resides in active memory and duplicates itself. Worms use parts of an operating system that are automatic and usually invisible to the user. It is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks.

C:/windows/system32/catroot2/tmp.edb

IRCBot.abc
This Trojan provides a remote malicious user with access to the victim machine. It is managed via IRC. It is a Windows PE EXE file. It is 32,704 bytes in size.

HKEY_LOCAL_MACHINE/system/CurrentContolSet/Services/ADF/Parameters
HKEY_LOCAL_MACHINE/system/CurrentContolSet/Services/ADF/Parameters=irpStackSize


THANX IN ADVANCE TO ANYONE WHO CAN HELP!!!
E247

BC AdBot (Login to Remove)

 


m

#2 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:03:43 PM

Posted 13 July 2007 - 04:18 PM

BPS Spyware remover is a rip off Please download Rogue Remover Free Install the program, and complete all updates. Then scan your system and let it remove everything that it finds. If Rogue Remover wishes to restart your machine, let it.

Follow the instructions in Preparation Guide for Posting A Hijack this log.

Edited by oldf@rt, 13 July 2007 - 04:19 PM.

The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users