Author Topic: Win32:Fakeinit-H[TRJ], Bredolab, ZBot-MNS  (Read 9109 times)

0 Members and 1 Guest are viewing this topic.

vista87

  • Guest
Win32:Fakeinit-H[TRJ], Bredolab, ZBot-MNS
« on: January 15, 2010, 09:40:31 AM »
I got infected with Win32:Fakeinit-H[TRJ] and I am not sure if there is an active backdoor/keylogger. How do I know whether there is an active backdoor/keylogger?

When I first scanned my laptop, I deleted whatever that is detected (sorry, I didn't know I was supposed to move it to the chest).
Right after being infected, I got this message 'this windows is not original' but now the message is gone.
I was told that I would get pop ups and stuff like that, but I didn't get any of those.

After discovering Win32:Fakeinit-H[TRJ] I realised there are Bredolab and ZBot-MNS.

I have uninstalled P2P such as Ares and Bittorent.

Thanks in advance for those who can help me out of this mess.

Here is the report from Avast:

1/1/2010 10:22:41 AM   SYSTEM   1580   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Windows\SoftwareDistribution\Download\794e187ec6eaa79a3c9915e164e61f37\BIT7457.tmp (C:\Windows\SoftwareDistribution\Download\794e187ec6eaa79a3c9915e164e61f37\BIT7457.tmp) returning error, 00000026.  
2/1/2010 6:46:48 PM   SYSTEM   1644   Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.  
2/1/2010 6:46:49 PM   SYSTEM   1644   An error has occured while attempting to update. Please check the logs.  
5/1/2010 9:54:40 AM   SYSTEM   1660   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Windows\SoftwareDistribution\Download\3e300a01c97e9a02cdecdcab81762ba8\BITD4BE.tmp (C:\Windows\SoftwareDistribution\Download\3e300a01c97e9a02cdecdcab81762ba8\BITD4BE.tmp) returning error, 00000026.  
5/1/2010 4:17:04 PM   SYSTEM   1660   Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Users\sarah\AppData\Local\Ares\My Shared Folder\___ARESTRA___the sims 3 +crack.exe\MsgUpdate.dll" file.  
5/1/2010 4:17:24 PM   SYSTEM   1660   Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Users\sarah\AppData\Local\Ares\My Shared Folder\___ARESTRA___the sims 3 +crack.exe\IgfxSys.dll" file.  
5/1/2010 4:18:23 PM   SYSTEM   1660   Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Users\sarah\AppData\Local\Ares\My Shared Folder\___ARESTRA___the sims 3 +crack.exe\phuninst.dll" file.  
11/1/2010 4:05:59 PM   SYSTEM   1640   Sign of "HTML:Iframe-inf" has been found in "http://profiles.lovingyou.com/library/stories.php" file.  
11/1/2010 4:06:06 PM   SYSTEM   1640   Sign of "HTML:Iframe-inf" has been found in "C:\Users\sarah\AppData\Local\Mozilla\Firefox\Profiles\t99aolvu.default\Cache\AB0E6D9Bd01" file.  
14/1/2010 12:38:17 AM   SYSTEM   1572   Sign of "Win32:FakeAlert-GD [Trj]" has been found in "C:\Users\sarah\AppData\Local\Temp\~TM84C7.tmp" file.  
14/1/2010 12:38:31 AM   SYSTEM   1572   Sign of "Win32:Zbot-MNS [Trj]" has been found in "D:\Internet\Temporary Internet Files\Content.IE5\6RXRWKBM\dfghfghgfj[1].dll" file.  
14/1/2010 12:38:38 AM   SYSTEM   1572   Sign of "Win32:Zbot-MNS [Trj]" has been found in "C:\Windows\System32\helper32.dll" file.  
14/1/2010 8:52:59 AM   SYSTEM   1592   Sign of "Win32:Fakeinit-H [Trj]" has been found in "C:\Windows\System32\smss32.exe" file.  
14/1/2010 8:58:52 AM   sarah   2912   Sign of "Win32:Fakeinit-H [Trj]" has been found in "c:\windows\system32\smss32.exe" file.  
14/1/2010 8:59:08 AM   sarah   2912   Sign of "Win32:Fakeinit-H [Trj]" has been found in "c:\windows\system32\winlogon32.exe" file.  
14/1/2010 8:50:57 PM   SYSTEM   1620   Sign of "Win32:Bredolab-BM [Trj]" has been found in "C:\Users\sarah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rarype32.exe" file.  
14/1/2010 9:23:53 PM   SYSTEM   1620   Sign of "Win32:Bredolab-BM [Trj]" has been found in "Incoming email 'UPS Tracking Number 5430399.' From: "UPS Manager Shauna Browning" <tracking.support@ups.com>, To: <sarah@writingconsultation.com>\UPS_invoice_NR8745.zip#1249735697\UPS_invoice_NR8745.exe" file.  
14/1/2010 9:29:26 PM   sarah   4656   Sign of "Win32:Bredolab-BM [Trj]" has been found in "c:\users\sarah\appdata\roaming\microsoft\windows\start menu\programs\startup\rarype32.exe" file.  

I have also done DDS. Please fine the attachment for Avast report. Thanks.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
Re: Win32:Fakeinit-H[TRJ], Bredolab, ZBot-MNS
« Reply #1 on: January 15, 2010, 11:30:07 AM »
Check your computer for Malware with

MBAM http://filehippo.com/download_malwarebytes_anti_malware/
update and run quick scan, click the button "remove selected" to quarantine anything found, and restart

SAS http://filehippo.com/download_superantispyware/

Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

come back and tell us if it worked

If anything is found other than cookies you may post the scan logs here   

vista87

  • Guest
Re: Win32:Fakeinit-H[TRJ], Bredolab, ZBot-MNS
« Reply #2 on: January 16, 2010, 02:38:19 AM »
Thanks Pondus. I did scanned my laptop with MalwareBytes and removed everything that is detected. I am just not sure whether the virus is totally removed.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Win32:Fakeinit-H[TRJ], Bredolab, ZBot-MNS
« Reply #3 on: January 16, 2010, 02:51:30 AM »
Can you post the contents of the MBAM log.

Why don't you think that the virus is/was totally removed, e.g. symptoms, etc. ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

vista87

  • Guest
Re: Win32:Fakeinit-H[TRJ], Bredolab, ZBot-MNS
« Reply #4 on: January 16, 2010, 06:27:55 PM »
Can you post the contents of the MBAM log.

Why don't you think that the virus is/was totally removed, e.g. symptoms, etc. ?

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.40
Database version: 2734
Windows 6.0.6002 Service Pack 2 (Safe Mode)

14/1/2010 11:07:58 PM
mbam-log-2010-01-14 (23-07-58).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 247550
Time elapsed: 54 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\sdra64.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

--------------------------------------------------

No specific symptoms. It just that every time I on my laptop, I would run Avast, Windows Defender and MalwareBytes to scan my laptop and sometimes, I do get an alert about a certain virus. Sometimes Windows Defender would alert me about a change being made to a file (I have no idea why / what kind of changes).

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
Re: Win32:Fakeinit-H[TRJ], Bredolab, ZBot-MNS
« Reply #5 on: January 16, 2010, 06:39:10 PM »
If you follow the guide here about the OTL program and post the OTL log here, then Essexboy can look at it.....
http://forum.avast.com/index.php?topic=53253.0


OBS: your Malwarebytes is very old, you have 1.40 the new is 1.44 and database 3580, update and scan again, and post the log
MBAM is designed to be run in normal mode, ( i see in the log you run it in safe mode )
« Last Edit: January 16, 2010, 11:56:09 PM by Pondus »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Win32:Fakeinit-H[TRJ], Bredolab, ZBot-MNS
« Reply #6 on: January 16, 2010, 06:46:48 PM »
@ vista87
Yes that file sdra64.exe found by MBAM would have been responsible for the other fake alert detections by avast, but now it is gone too.

From your prior posts (My Shared Folder\___ARESTRA___the sims 3 +crack.exe), it isn't surprising that from time to time you get alerts. Cracks are high risk, aside from any legal and moral issues, they are generally accompanied with other malware.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

vista87

  • Guest
Re: Win32:Fakeinit-H[TRJ], Bredolab, ZBot-MNS
« Reply #7 on: January 16, 2010, 11:53:36 PM »
@ vista87
Yes that file sdra64.exe found by MBAM would have been responsible for the other fake alert detections by avast, but now it is gone too.

From your prior posts (My Shared Folder\___ARESTRA___the sims 3 +crack.exe), it isn't surprising that from time to time you get alerts. Cracks are high risk, aside from any legal and moral issues, they are generally accompanied with other malware.

Thanks for the info. Multiple users are using my laptop. I don't really know what they did using my laptop.  :(

vista87

  • Guest
Re: Win32:Fakeinit-H[TRJ], Bredolab, ZBot-MNS
« Reply #8 on: January 17, 2010, 01:27:21 AM »

OBS: your Malwarebytes is very old, you have 1.40 the new is 1.44 and database 3580, update and scan again, and post the log
MBAM is designed to be run in normal mode, ( i see in the log you run it in safe mode )

This is the latest MBAM log, after updating. I supposed this is normal mode (not sure).

Malwarebytes' Anti-Malware 1.44
Database version: 3580
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865

17/1/2010 8:04:27 AM
mbam-log-2010-01-17 (08-04-27).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 253904
Time elapsed: 1 hour(s), 1 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\sarah\AppData\Roaming\mvhgkr.dat (Malware.Trace) -> Quarantined and deleted successfully.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Win32:Fakeinit-H[TRJ], Bredolab, ZBot-MNS
« Reply #9 on: January 17, 2010, 01:29:04 AM »
@ vista87
Yes that file sdra64.exe found by MBAM would have been responsible for the other fake alert detections by avast, but now it is gone too.

From your prior posts (My Shared Folder\___ARESTRA___the sims 3 +crack.exe), it isn't surprising that from time to time you get alerts. Cracks are high risk, aside from any legal and moral issues, they are generally accompanied with other malware.

Thanks for the info. Multiple users are using my laptop. I don't really know what they did using my laptop.  :(

You're welcome.

You can give them limited user accounts, if they can't be trusted to exercise safe hex ;D
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

vista87

  • Guest
Re: Win32:Fakeinit-H[TRJ], Bredolab, ZBot-MNS
« Reply #10 on: January 17, 2010, 12:12:59 PM »

OBS: your Malwarebytes is very old, you have 1.40 the new is 1.44 and database 3580, update and scan again, and post the log
MBAM is designed to be run in normal mode, ( i see in the log you run it in safe mode )

Here is a new log after updating:

Malwarebytes' Anti-Malware 1.44
Database version: 3580
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865

17/1/2010 8:04:27 AM
mbam-log-2010-01-17 (08-04-27).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 253904
Time elapsed: 1 hour(s), 1 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\sarah\AppData\Roaming\mvhgkr.dat (Malware.Trace) -> Quarantined and deleted successfully.



vista87

  • Guest
Re: Win32:Fakeinit-H[TRJ], Bredolab, ZBot-MNS [resolved]
« Reply #11 on: January 20, 2010, 08:50:01 AM »
Problem resolved. Thanks!

queedeRat

  • Guest
Win32 Fakeinit HTRJ Bredolab ZBot MNS
« Reply #12 on: January 21, 2010, 08:39:15 PM »
Thank you.

BTW, when I try the regular SUPERAntiSpyware way, about half-way down the instructions it says to relaunch SAS after it reboots your computer after the main scan. But do I launch it in safe mode again to retrieve the logs?