Windows performace and stablity hack

Inactive
By psmith9896
Oct 31, 2011
  1. I've got a pc taking over by a window performance and stablity hack. I was able to get malware to run in safemode (log attached), the gmer tool I cannot get either download site to work, the DDS log is attached as well.

    I have no desktop, my AV is disabled and my start menu is blank.

    Malware also is popping up random blocks of websites.

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8050

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    10/31/2011 10:18:08 AM
    mbam-log-2011-10-31 (10-18-08).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 232487
    Time elapsed: 39 minute(s), 19 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 12
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cDnjwAENws.exe (Trojan.FakeAlert) -> Value: cDnjwAENws.exe -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\all users\application data\cdnjwaenws.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\6dss92c31apgjk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
  2. psmith9896

    psmith9896 Newcomer, in training Topic Starter

    I jumped the gun the DDS scan would not complete it hung up the PC. I had to reboot but after this reboot my AV is enabled I'm trying to run a scan from it see if it finds anything new.
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +33

    Welcome to TechSpot! I'll help with the malware. There are somethings to be done that will help with the scans: Looks like you my have malware named "Smart Engine:"
    ==============================================
    Note: you do not need to run an AV scan. I will have you run an online virus scan.
    =============================================
    Step One:Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 3 different versions. If one of them won't run then download and try to run the other one
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    (A tip: If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Smart Engine when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again.)

    Step Two: Update Mbam> On the Scanner tab, make sure the the Perform full scan option is selected

    Step Three: Access, Delete, Replace Hosts files
    Please download the following batch file and save it to your desktop: Hostsperm.bat
    • Double-click on the hostsperm.bat file that is now on your desktop. If Windows asks if you if you are sure you want to run it, please allow it to run.
      [o]Once it starts you will see a small black window that opens, then goes away. This is normal. You should now be able to access your HOSTS file.
    • We now need to delete the C:\Windows\System32\Drivers\etc\HOSTS file.
    • Once it is deleted, download the following HOSTS file that corresponds to your version of Windows and save it in the C:\Windows\System32\Drivers\etc folder.
      [o]Windows XP HOSTS File Download Link
    • If the contents of the HOSTS file opens in your browser when you click on the link, then right-click the link and select:
      [o]Save Target As if in Internet Explorer
      [o] Save Link Asif in Firefox, to download the file.
    • Your Windows HOSTS file should now be back to the default one from when Windows was first installed.
    • Now reboot your computer.
    ================================================
    Then please try DDS again. If you continue to have any problems with the scans, let me know specifically what the problem is.
    ===============================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
  4. psmith9896

    psmith9896 Newcomer, in training Topic Starter

    I down loaded the first rkill program in normal mode and ran it, the black dos boxed pope up twice about 30 seconds apart and now nothing is happening. I tried to delete the rkill but it still running, is it ok to shut that process down and move on to the second one?

    edit : disregard, after rereading your instructions, I see now after the dos screen came up I should just move on to an up to date version of malware bytes scan.

    I'm on to that I'll be back soon.
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +33

    Okay. Post when ready.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.