Author Topic: Help please! (Read 11609 times)

Viper666 · « **on:** May 24, 2008, 09:43:27 AM »

Hi it's me again, only this time this is my parents' computer instead of mine. But on with the show...

I wasn't around when it happened, but the story is that my mother went on a site and all of a sudden, bugs were crawling across the screen and it told her that she had spyware (win32:malware.alarm) and whether or not she wanted to remove it. Note: this wasn't avast or any adware program, it was just a popup. I had something like this before, so yeah.

I'm not even quite sure what it is, but it might be Win32:Agent-UKF [trj], which is the only thing avast picked up on. Hope someone can help me. It'll be greatly appreciated

.

oldman · « **Reply #1 on:** May 24, 2008, 09:52:27 AM »

Hi again yourself

Give this a shot
http://www.malwarebytes.org/rogueremover.php

FreewheelinFrank · « **Reply #2 on:** May 24, 2008, 09:55:08 AM »

If it was just a pop-up, and you mother declined the offer of the lying scumbag sleazy scamware program on offer, then she should be OK.

Does she have an up to date browser with a pop-up blocker? (Firefox, Opera, IE7)

As a routine check, do a full AV scan. Boot time with avast! if she has that.

A spyware scan with the scanner/s of your choice.

A scan with Secunia Software Inspector to eliminate vulnerable software that may lead to drive-by downloads- installation of malware without user action.

Viper666 · « **Reply #3 on:** May 24, 2008, 10:40:45 AM »

Quote from: oldman on May 24, 2008, 09:52:27 AM

Hi again yourself

Give this a shot
http://www.malwarebytes.org/rogueremover.php

I downloaded it and ran a scan, but it didn't detect anything.

And I definitely forgot to add in the first post that this thing has also taken over the desktop with a screen that says: Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer.

Very similar to what I had before, but it looks different and it's a different popup than the one that I had.

oldman · « **Reply #4 on:** May 24, 2008, 10:43:47 AM »

Click here to download HJTsetup.exe

Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

FreewheelinFrank · « **Reply #5 on:** May 24, 2008, 10:45:54 AM »

Give SmitFraudFix a go: it's a specialist tool for these desktop hijacks:

http://siri.geekstogo.com/SmitfraudFix.php

Otherwise, try the usual free adware/spyware scanners.

Online scanners:

Ewido Online Scan
X-Cleaner Micro Edition

Installed scanners:

Ad-Aware Free
Spybot Search & Destroy
SUPERAntiSpyware Free
a-Squared Free

Download, install and update the programs. Disconnect from the internet (pull the plug) before running scans in Safe Mode if possible.

Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.

If still having problems, post a HijackThis! log.

Don't forget the Secunia Software Inspector scan and to use a secure browser.

Viper666 · « **Reply #6 on:** May 24, 2008, 10:52:17 AM »

I'll give those a go tomorrow and update you guys on the results. Thanks for trying to help me out!

Viper666 · « **Reply #7 on:** May 24, 2008, 06:15:42 PM »

I tried the SmitfraudFix and it seemed to work. So far, the desktop hijack screen hasn't come back yet.

However, avast continues to keep picking up something called Win32:Rootkit-gen [Rtk], and even after I delete it, it's still there.

So I decided to run HiJackThis anyway to see if you guys could either help get rid of it and any remaining things that might still be on here. Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:32 AM, on 5/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\sysrest32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\Bin\HPOstr05.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\bin\HPOVDX05.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Speaker Configuration] D:\Sound\C-Media\WinXP\Setup.exe /SPEAKER
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - Global Startup: HP OfficeJet Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\Bin\HPOstr05.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6136 bytes

Many thanks again!

FreewheelinFrank · « **Reply #8 on:** May 24, 2008, 06:28:53 PM »

This is a Trojan:

C:\WINDOWS\system32\sysrest32.exe

http://www.bleepingcomputer.com/startups/sysrest32.exe-20944.html

Please disable 'Hide protected operating system files' and enable 'View Hidden Files and Folders', and upload the above files to VirusTotal for analysis.

This will allow avast! and other AV programs to add the definition.

To deal with the rootkit, run a boot time scan: Right click the scanner screen, select 'schedule a boot time scan' and reboot when requested.

There is currently a false positive rootkit identification of this file:

C:\WINDOWS\system32\drivers\vga.sys

If this is the file identified by avast!, do not delete it or you may lose your monitor display.

http://forum.avast.com/index.php?topic=35761.0

To deal with the Trojan, Do a Ctr|Alt|del and kill the process sysrest32.exe.

Run HijackThis! again, tick the following entry:

O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe

Close all other windows and click 'fix'.

Reboot into Safe Mode and delete the file.

FreewheelinFrank · « **Reply #9 on:** May 24, 2008, 06:30:47 PM »

Your sun Java application is out of date. This will allow drive-by downloads- installation of malware just by visiting the wrong site.

Scan for out-of-date and insecure software using Secunia Software Inspector and update any vulnerable software: this will help to prevent future infections.

EDIT: Ad-Aware 2008 is available now: it's claimed to have better detection.

http://lavasoft.com/products/ad_aware_free.php

Viper666 · « **Reply #10 on:** May 24, 2008, 07:57:38 PM »

All done and everything seems to be doing okay so far. sysrest32.exe is completely gone and avast! hasn't picked up any rootkit trojan. So I think we may be in the clear.

Thanks so much for helping out. Now my parent can rest assured. My mother had called verizon and wanted to take all of these other measures and stuff *rolls eyes*. But ANYWAYS...thanks again! I'll be back if anything comes up

.

Viper666 · « **Reply #11 on:** May 24, 2008, 08:46:04 PM »

Okay, we may not have gotten rid of it completely.

Something else that this thing caused to happen was there was this screensaver type thing that comes on and bugs crawl over the screen, eating it and such. It acts just like a screensaver--activating when there's no activity--so I looked to see if the trojan just left the screensaver like how it left a blank screen when I encountered something like it. But, there's no screensaver set.

What else can I do now?

FreewheelinFrank · « **Reply #12 on:** May 24, 2008, 09:03:43 PM »

If your right click the destop and select Properties>Desktop>Customize Destop>Web is there anything odd in there?

(Default is just 'My home page' unticked.)

Viper666 · « **Reply #13 on:** May 24, 2008, 09:08:48 PM »

No, there isn't anything weird. There's actually nothing listed.

FreewheelinFrank · « **Reply #14 on:** May 24, 2008, 09:12:06 PM »

If your right click the destop and select Properties>Screensaver is Screensaver set to 'none'?

Author Topic: Help please! (Read 11609 times)

Viper666

Help please!

oldman

Re: Help please!

FreewheelinFrank

Re: Help please!

Viper666

Re: Help please!

oldman

Re: Help please!

FreewheelinFrank

Re: Help please!

Viper666

Re: Help please!

Viper666

Re: Help please!

FreewheelinFrank

Re: Help please!

FreewheelinFrank

Re: Help please!

Viper666

Re: Help please!

Viper666

Re: Help please!

FreewheelinFrank

Re: Help please!

Viper666

Re: Help please!

FreewheelinFrank

Re: Help please!