Virtumonde, Smitfraud & Adware Infections

Discussion in 'Malware Help (A Specialist Will Reply)' started by stacyinaz, Sep 15, 2008.

  1. stacyinaz

    stacyinaz Private E-2

    You guys are the best!!... Okay..so i've done all the procedures and have attached my MGLogs.zip file.

    Here's the details:

    I picked up these issues at about 9:30 pm PST September 9th. I was doing a search on either google or yahoo (probably yahoo)... for "slade smiley forclosure"... (don't ask...i was watching the season finale of "Date My Ex: Jo & Slade"... i clicked on a link that was perhaps the 3rd one in the list... there was no warning from yahoo regarding potential risk links...

    As soon as i clicked, i was redirected to a window with pornopgraphic images called "PORNTUBE"... the logo was a take-off of Youtube. The internet address did not match "porntube"... but don't know what it was..very long.

    When i attempted to close the page by closing IE i received pop-ups saying to affirm things... round and round... i always closed these popup questions by clicking the RED EX close button... just to have another show up... I had to do a Con Alt Del to start task manager and close IE.

    Things this scamware did:
    Random pop open of DVD-Rom
    Random Shut down of IE
    Network Connection Slow to Nil
    Attempted to redirect homepage (Norton 360 caught it and wouldn't allow redirect)
    "Security Warnings" Included:
    Trojan-downloader.win32.Agent.bq
    Trojan-spy.win32.keylogger.aa
    Trojan-clicker.win32.tiny.h
    Trojan-spy.HTML.Bankfraud.dq
    All warnings came with "security warnings" with a "solution" to rid your system of this "trojan", etc... which of course was a redirect to a "spyware removal" software program...

    If I've left anything out...let me know..

    Thanks for your help.
     

    Attached Files:

    stacyinaz, Sep 15, 2008
    #1
  2. stacyinaz

    stacyinaz Private E-2

    Re: Virtumonde, Smitfraud & Adware Infections??

    Forgot to add... I beleive the redirect "removal" software name was for Smartsoft, PC antipsy and pc cleanpro (it was always the same page... kind of a pixelated "windows type logo on the upper corner of the redirect page".

    Also, my Title is a referrence to 3 items picked up by Spy Bot, I beleive. But...each program i ran, per your detailed instructions, picked up something.
     
    stacyinaz, Sep 15, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You forgot to attach the other 3 logs that were requested. Please attach the below logs:

    • SUPERAntiSpyware
    • Malwarebytes
    • C:\combofix.txt from running ComboFix.
    Also you missed uninstalling Viewpoint Media Player in step 1 of the READ & RUN ME.

    Also please tell us what problems (if any) you are still having.
     
    chaslang, Sep 15, 2008
    #3
  4. stacyinaz

    stacyinaz Private E-2

    wow..how did i miss that... :eek: I was trying to follow your directions so carefullly...

    I've attached the files... and uninstalled Viewpoint Media Player.

    So far the only problem I am having random shut downs of IE.


    God Bless Geeks!!

    Stacy
     

    Attached Files:

    Last edited: Sep 15, 2008
    stacyinaz, Sep 15, 2008
    #4
  5. stacyinaz

    stacyinaz Private E-2

    ....in addition... having sluggish network issues as before (no one else having issues, just me)... and IE randomly shutting down more often...
     
    stacyinaz, Sep 15, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please make sure you answer all questions that are asked below.

    I'm still not clear on what you mean. What do you mean by sluggish network issues exactly? What did you find out from install Pure Networks? Did you buy this?

    And when you say no one else but you are you referring to people using the same computer or different computers on the same network?

    When you say IE shuts down, do you mean it crashes? Do you get error messages? If so, we need the exact word for word message.

    Is your copy of Spyware Doctor 6.0 a paid copy that actually fixes malware problems or is it just a trial? If a trial then uninstal it now.

    What did you do with Registry Mechanic which you just installed? Did you purchase this? If not then uninstall it.
    What did you do with Trend Micro that you just installed?

    What is the Autorun.exe file that is on your Desktop?


    Why do you need the below to always be running?
    C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

    After clicking Fix, exit HJT.


    Now we need to use ComboFix.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\Windows\Temp
    C:\Users\Mom\AppData\Local\Temp\

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Sep 16, 2008
    chaslang, Sep 16, 2008
    #6
  7. stacyinaz

    stacyinaz Private E-2

    re: sluggish... network connection and internet speed, run through purenetworks... yes I own it and paid for it.

    re: other computers... no other computers on the network having "sluggish" issues.

    re: IE... yes..it crashes.. just grays out an yet a windows notificatino that IE has shut down.. it automatically restarts. I will make note of the exact msg... its the standard message i believe...i've seen this message before multiple times in my computing experience.

    spyware doctor...yes... i paid for it.

    did not buy registry mechanic... will uninstall


    re: trend micro... i don't remember which one that was...but i did not delete any of the programs that were on the instructions

    Autorun.exe file is "Settlers 6"... a game... i own it ...bought from direct2drive.com

    No i do not need gamespot download manager running all the time... i should take this off my startup files

    I will update you after i finish your new list of instructions!!

    You Rock!
     
    stacyinaz, Sep 16, 2008
    #7
  8. stacyinaz

    stacyinaz Private E-2

    Ok...

    finished your latest instructions...

    received "success" message for the registry add.

    and have attached logs.

    I'll let you know how things are working!

    thanks again,

    Stacy
     

    Attached Files:

    stacyinaz, Sep 16, 2008
    #8
  9. stacyinaz

    stacyinaz Private E-2

    Still having random IE shut downs...

    Received the following Error:

    ________________________________________________________________
    PROBLEM REPORTS AND SOLUTIONS

    Download updates for HP Smart Web Printing

    This problem was caused by HP Smart Web Printing, which was created by Hewlett Packard.

    Solution

    --------------------------------------------------------------------------------


    A newer version of this software is available for download that addresses this problem. Hewlett Packard recommends updating to take advantage of security and stability improvements.

    Go online to the following website to update HP Smart Web Printing:

    Hewlett Packard
    _______________________________________________________________

    Followed by the standard "was this information helpful" YES NO SOMEWHAT.


    ______________________

    found the HP update:

    File name: HP_Smart_Web_Printing_v4.03.exe, (1/1 , 8.68M)
    By downloading, you agree to the terms and conditions of the HP software licensing agreement
    ยป HP software licensing agreement.
    Released: 2008-07-02
    Version: 4.03
    Compatibility: Microsoft Windows XP, Microsoft Windows Vista, Microsoft Windows Vista Ultimate (32-bit), Microsoft Windows Vista Home Basic (32-bit), Microsoft Windows Vista Home Premium (32-bit), Microsoft Windows XP Professional, Microsoft Windows XP Home Edition
    System requirements: Microsoft Windows XP Professional, Microsoft Windows XP Home Edition
    Microsoft Windows Vista Ultimate, Microsoft Windows Vista Home Basic, Microsoft Windows Vista Home Premium
    Internet Explorer version 6.0, 6.0 SP1 and 7.0 (32-bit versions only)
    Mozilla Firefox version 2.0.0x

    Description: With this fast, free download, this enhancement to Microsoft Internet Explorer and Mozilla Firefox improves upon IE and Firefox ability to print what you see on the web page. HP Smart Web Printing allows users to:
    Select text and graphics easily from any web site and save a handy list of clips
    Save paper by combining portions of numerous web pages
    Preview and modify clips before printing

    Enhancements: In addition, HP Smart Web Printing automatically fixes right-edge clipping, eliminating wasteful prints containing clipped pages or sparse lines of useless text (IE 6.0 only).

    I DID THE INSTALL.

    Not sure if or why this is part of the IE shut down problem...as this isn't the message that was happening previously. In addition, there has been no correlation between IE shutdowns and printing of any kind.

    Will update if this does or does not resolve issue.
     
    stacyinaz, Sep 16, 2008
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are now clean.

    But did it detect any issues.


    You say only this PC has poor performance. Please answer these questions.
    1. Is this PC using a wireless connection and what are the others using?
    2. Also do the other PCs also have the same versions of Symantec and Spyware Doctor installed?
    3. Do the other PCs have iTunes installed?
    4. Do the other PCs have Pure Network installed?
    5. Do the other PCs also have the Roxio software installed?
    6. Do the other PCs have all of the below same browser helper objects ( BHO's)
      • Yahoo! Toolbar Helper
      • Adobe PDF Reader Link Helper
      • RealPlayer Download and Record Plugin for Internet Explorer
      • Windows Live Sign-in Helper
      • OToolbarHelper Class
      • HP Print Clips
    7. Do the other PCs have all the same toolbars installed?
      • Show Norton Toolbar
      • Yahoo! Toolbar
      • PayPal Plug-In
      • Veoh Browser Plug-in
    8. Why are all the below connections from other PCs showing on your PC? Is your PC used as a gateway?
    Code:
     TCP    192.168.1.103:139      BAILEY-LAPTOP:50990    ESTABLISHED
  TCP    192.168.1.103:1196     BAILEY-LAPTOP:50963    ESTABLISHED
  TCP    192.168.1.103:2869     Bailey-PC:55080        TIME_WAIT
  TCP    192.168.1.103:2869     Bailey-PC:55082        TIME_WAIT
  TCP    192.168.1.103:2869     Bailey-PC:55084        TIME_WAIT
  TCP    192.168.1.103:2869     Bailey-PC:55086        TIME_WAIT
  TCP    192.168.1.103:2869     Bailey-PC:55088        TIME_WAIT
  TCP    192.168.1.103:49223    fdl-lb:http            CLOSE_WAIT
  TCP    192.168.1.103:49249    by1msg5276712:msnp     ESTABLISHED
  TCP    192.168.1.103:51036    Bailey-PC:1196         ESTABLISHED
  TCP    192.168.1.103:52502    72.215.224.121:http    ESTABLISHED
  TCP    192.168.1.103:52503    Bailey-PC:netbios-ssn  TIME_WAIT
  TCP    192.168.1.103:52510    HP7200OFFICE:netbios-ssn  TIME_WAIT
  TCP    192.168.1.103:52512    HP7200OFFICE:9100      TIME_WAIT
  TCP    192.168.1.103:52514    HP7200OFFICE:http      TIME_WAIT
  TCP    192.168.1.103:52521    HP7200OFFICE:netbios-ssn  TIME_WAIT
    This is most likely a topic for the Software Forum. You can obtain information of the reason for the crashes from the Event Viewer logs ( see: http://support.microsoft.com/kb/308427 ). These should be posted in the Software Forum.

    But what did you did with it? Did it fix/repair/remove any registry entries? Or did it just report problems and not fix them?

    Do not use MSconfig or CCleaner to do this.

    Your HP Smart Web Printing is also not a topic for this forum; however I do suggest that if you don't use this feature that you uninstall it or at a minimum stop any parts of it from loading.
     
    Last edited: Sep 17, 2008
    chaslang, Sep 17, 2008
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds