TechSpot

Malware infection

By Manolo
Oct 29, 2007
  1. I got a Malware infection today after clicking (I think) on a Java update window. After that, a window pops up every couple of minutes with the message "Warning! Potential Spyware Operation!" (see attached 'Alert.GIF'). I have not clicked on the 'Yes' button. Then I noticed that the home page had changed to iGoogle and that the Explorer was not the default browser. Also, sometimes I was redirected to weird sites that I did not allow to load. Then, when I wanted to check the firewall (I'm running Windows XP Professional) I noticed that the control panel icon was missing from the Settings menu. Then, when trying to access My Computer properties I obaianed a message saying that "This operation has been cancelled due to restrictions in effect on this computer" (see attached 'Alert2.GIF'). I also found that 2 files were added to the Start Up submenu: 'autos.exe' and 'infos.exe'. They reappear after deleting them and rebooting.

    I've run AVG Free edition antivirus which only found changes in the files (and I think it took no action):
    C:\WINDOWS\system32\kernel.dll
    C:\WINDOWS\system32\user32.dll
    C:\WINDOWS\system32\shell32.dll
    C:\WINDOWS\system32\ntoskrnl.exe
    C:\WINDOWS\system32\drivers\etc\hosts

    AVG AntiSpyware found the Trojan Qhost and deleted it (attaching logfile 'Report-Scan-xxx.txt')

    I'm attaching as well the logfiles of ComboFix and HijackThis

    Thank you for your help

    I'm attaching the log file obtained with Ad-Aware

    After running the previous software the Control Panel is now accessible, but I can't still acesss the properties of My Computer or My Network Places

    Thank you for your help

    AVG Anti-Rootkit Free found nothing
     

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Bodogpoker

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    winter.exe
    infos.exe
    autos.exe
    BPGame.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\bronto.dll

    O4 - HKLM\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe

    O4 - HKCU\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe

    O4 - Startup: infos.exe

    O4 - Global Startup: autos.exe

    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

    O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or folders(if there).

    C:\Program Files\Bodog Poker
    C:\WINDOWS\system32\winter.exe

    infos.exe<Search your system for this file and delete all instances found.
    autos.exe
    <Search your system for this file and delete all instances found.

    Reboot into normal mode and rehide your protected OS files.

    Post fresh HJT and Combofix.

    Regards Howard :wave: :wave:

    This thread is for the use of Manolo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Manolo

    Manolo TS Rookie Topic Starter Posts: 23

    When I tried to follow the instructions, neither the Control Panel or the Task Manager were accessible. I ran Ad-Aware and it found 3 registry values changed (attached log file). After fixing them, the task manager was accessible. None of the processes were active.

    I deleted all instances of the files you indicated

    I ran ComboFix and HijackThis and I'm attaching the results. After running ComboFix and restarting the Control Panel is accessible and the properties of My Computer and My Network Places

    The popup window is not showing up. Does this look clean?

    Thank you
     

    Attached Files:

  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:


    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Manolo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. Manolo

    Manolo TS Rookie Topic Starter Posts: 23

    These are the new log files. I had to remove a lot of lines in the ComboFix log file because the size of the file was almost 200kb. I deleted lines of the files that had been removed in the directory C:\Program Files\Bodog Poker
     

    Attached Files:

  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    All clean.

    Delete C:\Qoobox

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Manolo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Manolo

    Manolo TS Rookie Topic Starter Posts: 23

    Thanks a lot
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...