Malware infection

[Manolo]

I got a Malware infection today after clicking (I think) on a Java update window. After that, a window pops up every couple of minutes with the message "Warning! Potential Spyware Operation!" (see attached 'Alert.GIF'). I have not clicked on the 'Yes' button. Then I noticed that the home page had changed to iGoogle and that the Explorer was not the default browser. Also, sometimes I was redirected to weird sites that I did not allow to load. Then, when I wanted to check the firewall (I'm running Windows XP Professional) I noticed that the control panel icon was missing from the Settings menu. Then, when trying to access My Computer properties I obaianed a message saying that "This operation has been cancelled due to restrictions in effect on this computer" (see attached 'Alert2.GIF'). I also found that 2 files were added to the Start Up submenu: 'autos.exe' and 'infos.exe'. They reappear after deleting them and rebooting.

I've run AVG Free edition antivirus which only found changes in the files (and I think it took no action):
C:\WINDOWS\system32\kernel.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\shell32.dll
C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\drivers\etc\hosts

AVG AntiSpyware found the Trojan Qhost and deleted it (attaching logfile 'Report-Scan-xxx.txt')

I'm attaching as well the logfiles of ComboFix and HijackThis

Thank you for your help

I'm attaching the log file obtained with Ad-Aware

After running the previous software the Control Panel is now accessible, but I can't still acesss the properties of My Computer or My Network Places

Thank you for your help

AVG Anti-Rootkit Free found nothing

 

[howard_hopkinso]

Hello and welcome to Techspot.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Bodogpoker

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

winter.exe
infos.exe
autos.exe
BPGame.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\bronto.dll

O4 - HKLM\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe

O4 - HKCU\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe

O4 - Startup: infos.exe

O4 - Global Startup: autos.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\Program Files\Bodog Poker
C:\WINDOWS\system32\winter.exe

infos.exe<Search your system for this file and delete all instances found.
autos.exe<Search your system for this file and delete all instances found.

Reboot into normal mode and rehide your protected OS files.

Post fresh HJT and Combofix.

Regards Howard :wave: :wave:

This thread is for the use of Manolo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Manolo]

When I tried to follow the instructions, neither the Control Panel or the Task Manager were accessible. I ran Ad-Aware and it found 3 registry values changed (attached log file). After fixing them, the task manager was accessible. None of the processes were active.

I deleted all instances of the files you indicated

I ran ComboFix and HijackThis and I'm attaching the results. After running ComboFix and restarting the Control Panel is accessible and the properties of My Computer and My Network Places

The popup window is not showing up. Does this look clean?

Thank you

 

[howard_hopkinso]

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

File::
C:\WINDOWS\system32\proper.exe
C:\WINDOWS\system32\skuns.dat

Folder::
C:\Program Files\Bodog Poker

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard

This thread is for the use of Manolo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Manolo]

These are the new log files. I had to remove a lot of lines in the ComboFix log file because the size of the file was almost 200kb. I deleted lines of the files that had been removed in the directory C:\Program Files\Bodog Poker

 

[howard_hopkinso]

All clean.

Delete C:\Qoobox

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of Manolo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Manolo]

Thanks a lot