Username:    Password:    Remember me     
Google
 

Forums


Malwareteks :: Forums :: Malware Support :: Inactive Malware Threads
 
<< Previous thread | Next thread >>
[INACTIVE] Attention (Name)! Some dangerous viruses detected in your system...
Moderators: ShadowPuterDude, Greg, D3m3nt3d, Brandon, Vmarm, peterparker, siljaline, jholland1964, TurcoLoco, Windsor, JeanInMontana, KZ, RatHat, Jason Amison, MrCharlie
This thread is now closed
Author Post
R Jay
Wed Aug 13 2008, 01:06PM
Registered Member #272
Joined: Wed Aug 13 2008, 12:49PM
Posts: 7
Thanked 0 times in 0 posts
Hello I have some malware problem that you guys seem to be familiar with and I was hoping you can help me out. Everytime I click on something in my C: drive I get this pop up:

Attention (Name)! Some dangerous viruses detected in your system. Microsoft Windows XP files corrupted. This may lead to the destruction of important files in C:\WINDOWS. Download protection software now!
Click OK to download the antispyware. (recommended)

If it matters I have Windows XP. Thank you in advance for any help you can offer.
Back to top
Schaep
Wed Aug 13 2008, 04:46PM
Registered Member #274
Joined: Wed Aug 13 2008, 04:40PM
Posts: 1
Thanked 0 times in 0 post
I've got the same problem, and FixIEDef doesn't solve it. The log says there isn't any malware to be found.
Back to top
Justin Tokke
Wed Aug 13 2008, 05:24PM

Registered Member #269
Joined: Tue Aug 12 2008, 02:29AM
Posts: 12
Thanked 0 times in 0 posts
Run the entire set of steps listed here: Malware Cleaning Guide

Then ask for help here.

[ Edited Wed Aug 13 2008, 06:16PM ]
Justin Tokke
Composer, Trombonist
Back to top
R Jay
Wed Aug 13 2008, 05:38PM
Registered Member #272
Joined: Wed Aug 13 2008, 12:49PM
Posts: 7
Thanked 0 times in 0 posts
Thanks but that link as well as the one in the forums lead me to a page that never loads.
Back to top
ShadowPuterDude
Wed Aug 13 2008, 06:24PM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 217
Thanked 10 times in 10 posts
Schaep wrote ...

I've got the same problem, and FixIEDef doesn't solve it. The log says there isn't any malware to be found.

Hello Schaep and Welcome to MalwareTeks.

It is against forum rules to post a request for support in someone else's support request thread.

Please start a thread of your own.

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
ShadowPuterDude
Wed Aug 13 2008, 06:29PM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 217
Thanked 10 times in 10 posts
R Jay, hello and welcome to MalwareTeks.

A new variant of the IE Defender Family of Fake Alert Trojans has been released in the wild. FixIEDef is being updated to target this new variant.

Follow the procedures as outlined in our Malware Cleaning Guide.

Once you have completed the procedures outlined in our Malware Cleaning Guide, post the following logs at a minimum:

Malwarebytes Anti-Malware
HijackThis
ISeeYouXP

If you were able to complete any of the online scanners, post those logs as well.

All logs are to be posted as attachments.

If you encounter problems and any step just skip that skip and continue with the procedures outlined in the Malware Cleaning Guide.

Make sure to tell me what ran and what didn't.

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
R Jay
Wed Aug 13 2008, 08:42PM
Registered Member #272
Joined: Wed Aug 13 2008, 12:49PM
Posts: 7
Thanked 0 times in 0 posts
I am afraid both links you provided take me to a page that never loads. Im not sure if this is because of my PC but there are other websites that I frequently visited that will no longer load and I think this or a similar malware is the reason behind it.
Back to top
Justin Tokke
Wed Aug 13 2008, 09:27PM

Registered Member #269
Joined: Tue Aug 12 2008, 02:29AM
Posts: 12
Thanked 0 times in 0 posts
Use a clean PC, ideally a laptop, to load the sites. It will be much less of a hassle.

[ Edited Wed Aug 13 2008, 09:27PM ]
Justin Tokke
Composer, Trombonist
Back to top
ShadowPuterDude
Wed Aug 13 2008, 09:37PM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 217
Thanked 10 times in 10 posts
FixIEDef has been updated to include the newest variant of the IE Defender Family of Fake Alert Trojans.

Download a new copy from the MalwareTeks Download Mirror to your Desktop and run it.

Attach the resulting log.

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
R Jay
Wed Aug 13 2008, 10:08PM
Registered Member #272
Joined: Wed Aug 13 2008, 12:49PM
Posts: 7
Thanked 0 times in 0 posts
Here is the log from FixIEDef.
fixiedef.log
Back to top
ShadowPuterDude
Wed Aug 13 2008, 10:14PM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 217
Thanked 10 times in 10 posts
You are infected with more than just the IE Defender Family of Trojans.

Download to your Desktop
- ComboFix by sUBs from >> Geeks2Go <<

During the download rename Combofix to Combo-Fix. This is important do not rename after downloading. Combofix must be renamed before it is downloaded to your desktop.

Close ALL windows

Physically disconnect from the Internet, then disable your anti-virus and any real-time anti-spyware monitors that are running.

Double click Combo-Fix.exe follow the prompts

When finished, the program will produce a log

Note:
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for:
ComboFix
ISeeYouXP
HijackThis

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
R Jay
Wed Aug 13 2008, 10:25PM
Registered Member #272
Joined: Wed Aug 13 2008, 12:49PM
Posts: 7
Thanked 0 times in 0 posts
Firefox never gave me the option to rename combofix before it put it on my pc. What should I do?
Back to top
ShadowPuterDude
Wed Aug 13 2008, 10:31PM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 217
Thanked 10 times in 10 posts
Go ahead and run it anyway.

Renaming is a preventive measure against certain forms of Malware detecting the running of ComboFix.

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
R Jay
Thu Aug 14 2008, 12:56AM
Registered Member #272
Joined: Wed Aug 13 2008, 12:49PM
Posts: 7
Thanked 0 times in 0 posts
Here is the log from combo fix. Took it a while.
combofix.txt
Back to top
ShadowPuterDude
Thu Aug 14 2008, 07:40AM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 217
Thanked 10 times in 10 posts
Attach the ISeeYouXP and HijackThis logs I requested, as well.

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
R Jay
Sat Aug 16 2008, 08:49PM
Registered Member #272
Joined: Wed Aug 13 2008, 12:49PM
Posts: 7
Thanked 0 times in 0 posts
Sorry for the delay but I've been away


fixiedef.log
iseeyouxp.txt
Back to top
ShadowPuterDude
Sun Aug 17 2008, 04:56PM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 217
Thanked 10 times in 10 posts
Using Add or Remove Programs in the Control Panel; uninstall the following:
J2SE Runtime Environment 5.0 Update 8
Java 2 Runtime Environment, SE v1.4.2

The installed version of Java on this compter is out-dated. Install Java Runtime Environment (JRE) 6u7 available from Sun Microsystems. Uninstall all older versions of Java on your computer, before installing the latest version of Java.

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"6c3b6c0f"=-
"BM6f085f93"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OOBEDDDemise"=-
Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:
  • Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    C:\WINDOWS\system32\6718a871-.txt
    C:\WINDOWS\system32\chkdsks.exe
    C:\WINDOWS\system32\chkdskss.exe
    C:\WINDOWS\system32\Config.MPF
    C:\WINDOWS\system32\djinrmfbjcgevv.exe
    C:\WINDOWS\system32\duxhpnyb.dll
    C:\WINDOWS\system32\ftps.exe
    C:\WINDOWS\system32\oeminfo.ini
    C:\WINDOWS\system32\OEMINFO.PNF
    C:\WINDOWS\system32\rar.exe
    C:\WINDOWS\system32\vbzip10.dll
    C:\WINDOWS\system32\vhnmmnof.dll
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

    Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following:
C:\TEMP\epr1
C:\WINDOWS\system32\fin2
C:\WINDOWS\system32\fx
C:\WINDOWS\system32\gps
C:\WINDOWS\system32\kBin02
Now run ATF Cleaner.

Delete the contents of C:\WINDOWS\Prefetch.

As an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Download Registry Search (see the link titled RegSearch Download Link)
  • Extract the files from Regsearch.zip into a folder.
  • Doubleclick regsearch.exe to start the program.
  • Enter cmdService and Network Monitor in the top area of the form and then click "OK".
    Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well).

Attach the following logs:
  • ISeeYouXP
  • HijackThis
  • RegSearch


"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
ShadowPuterDude
Sun Aug 24 2008, 08:43AM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 217
Thanked 10 times in 10 posts
Thread Closed

Reason: Lack of Response

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
 

Jump:     Back to top
Syndicate this thread: rss 0.92 Syndicate this thread: rss 2.0 Syndicate this thread: RDF
Powered by e107 Forum System

< ASAP Member Sites | Privacy Policy | Infected? | Want to Help? | Software Piracy | Malware Complaints | About Us | Contact Us | Terms of Service >

Content Copyright 2006-2008 - MalwareTeks
This site is powered by e107, which is released under the terms of the GNU GPL License.


Banner