[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Malware

Posted on 2009-12-30
13
Medium Priority
?
1,010 Views
Last Modified: 2013-11-22
I have an XP computer that is getting popup windows ever ten minutes that states:   You have some problems with your computer and it list a phone number
1 (900) 255-73-73

I've tried Malwarebytes, Hijacksthis, and Avast anti-vius.

What shall I do to next?
Help
0
Comment
Question by:PlymouthIT
13 Comments
 
LVL 6

Expert Comment

by:kennyhenao
ID: 26149315
0
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 26149463
Run a temporary file remover...CCleaner is a good one and it's free.
http://www.ccleaner.com/

Download Combofix by sUBs. (already suggested by kennyhenao)
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Before running Combofix, temporary disable any firewall(s) shield(s) ect...to prevent any conflicts with Combofix. After Combofix is done scanning, it will create a log, for futher instructions, save and paste the results by Attach File, or by Code Snippet so other experts can take a look at it. Once after the log looks clean, you may enable your firewall(s) shield(s) ect. Combofix will disconnect your machine from the Internet. Your Internet connection will be automatically restored just before Combofix completes its scan. If Combofix runs into problems, your Internet connection can be manually restored by restarting your machine.

You'll might need to rename the file before saving to your desktop so it will not be blocked.

Please note: Don't run Combofix in Safe Mode.
0
 

Author Comment

by:PlymouthIT
ID: 26151126
ComboFix 09-12-29.06 - DELL 12/30/2009  19:24:36.2.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.576 [GMT -6:00]
Running from: c:\documents and settings\DELL\My Documents\ComboFix.exe
.

(((((((((((((((((((((((((   Files Created from 2009-11-28 to 2009-12-31  )))))))))))))))))))))))))))))))
.

2009-12-31 01:19 . 2009-12-31 01:19      --------      d-----w-      c:\program files\CCleaner
2009-12-30 21:58 . 2009-12-30 21:58      --------      d-sh--w-      c:\documents and settings\LocalService\IETldCache
2009-12-30 18:39 . 2009-11-24 23:48      23120      ----a-w-      c:\windows\system32\drivers\aswRdr.sys
2009-12-30 18:39 . 2009-11-24 23:49      48560      ----a-w-      c:\windows\system32\drivers\aswTdi.sys
2009-12-30 18:39 . 2009-11-24 23:47      27408      ----a-w-      c:\windows\system32\drivers\aavmker4.sys
2009-12-30 18:39 . 2009-11-24 23:50      94160      ----a-w-      c:\windows\system32\drivers\aswmon2.sys
2009-12-30 18:39 . 2009-11-24 23:50      114768      ----a-w-      c:\windows\system32\drivers\aswSP.sys
2009-12-30 18:39 . 2009-11-24 23:50      20560      ----a-w-      c:\windows\system32\drivers\aswFsBlk.sys
2009-12-30 18:39 . 2009-11-24 23:47      97480      ----a-w-      c:\windows\system32\AvastSS.scr
2009-12-30 18:39 . 2009-11-24 23:51      93424      ----a-w-      c:\windows\system32\drivers\aswmon.sys
2009-12-30 18:39 . 2009-11-24 23:54      1280480      ----a-w-      c:\windows\system32\aswBoot.exe
2009-12-30 18:39 . 2009-12-30 18:39      --------      d-----w-      c:\program files\Alwil Software
2009-12-30 18:34 . 2009-12-30 18:34      --------      d-----w-      c:\windows\LastGood
2009-12-30 15:22 . 2009-12-30 15:22      --------      d-sh--w-      c:\documents and settings\DELL\IECompatCache
2009-12-30 15:19 . 2009-12-30 15:19      --------      d-sh--w-      c:\documents and settings\DELL\PrivacIE
2009-12-30 15:18 . 2009-12-30 15:18      --------      d-sh--w-      c:\documents and settings\DELL\IETldCache
2009-12-30 15:14 . 2009-12-30 15:14      --------      d-----w-      c:\windows\ie8updates
2009-12-30 15:12 . 2009-12-30 15:12      --------      dc-h--w-      c:\windows\ie8
2009-12-30 15:09 . 2009-10-29 07:45      594432      -c----w-      c:\windows\system32\dllcache\msfeeds.dll
2009-12-30 15:09 . 2009-10-29 07:45      55296      -c----w-      c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-30 15:09 . 2009-10-29 07:45      12800      -c----w-      c:\windows\system32\dllcache\xpshims.dll
2009-12-30 15:09 . 2009-10-29 07:45      246272      -c----w-      c:\windows\system32\dllcache\ieproxy.dll
2009-12-30 15:09 . 2009-10-29 07:45      1985536      -c----w-      c:\windows\system32\dllcache\iertutil.dll
2009-12-30 15:09 . 2009-10-29 07:45      11069952      -c----w-      c:\windows\system32\dllcache\ieframe.dll
2009-12-30 15:08 . 2009-10-02 04:44      92160      -c----w-      c:\windows\system32\dllcache\iecompat.dll
2009-12-30 15:06 . 2009-11-21 15:51      471552      -c----w-      c:\windows\system32\dllcache\aclayers.dll
2009-12-30 14:49 . 2009-12-30 14:49      --------      d-----w-      c:\program files\Trend Micro
2009-12-29 22:25 . 2009-12-29 22:25      --------      d-----w-      c:\documents and settings\DELL\Application Data\Malwarebytes
2009-12-29 22:25 . 2009-12-03 22:14      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-29 22:25 . 2009-12-29 22:25      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2009-12-29 22:25 . 2009-12-29 22:25      --------      d-----w-      c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-29 22:25 . 2009-12-03 22:13      19160      ----a-w-      c:\windows\system32\drivers\mbam.sys
2009-12-29 21:49 . 2009-12-29 21:49      8192      ----a-w-      c:\documents and settings\DELL\Application Data\an\StartIE.exe
2009-12-29 21:49 . 2009-12-29 21:49      170496      ----a-w-      c:\documents and settings\DELL\Application Data\an\ProblemExample.dll
2009-12-29 21:49 . 2009-12-29 21:49      --------      d-----w-      c:\documents and settings\DELL\Application Data\an
2009-12-29 21:49 . 2009-12-29 21:49      10752      ----a-w-      c:\documents and settings\DELL\Application Data\an\AlarmNotificator.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-30 13:52 . 2008-06-28 16:33      --------      d-----w-      c:\program files\LogMeIn
2009-12-29 22:35 . 2009-06-17 14:26      --------      d-----w-      c:\program files\golinkup
2009-12-21 20:24 . 2009-01-13 21:03      --------      d-----w-      c:\program files\DYMO Label
2009-12-15 22:22 . 2009-06-17 14:27      --------      d-----w-      c:\program files\ClaimX
2009-11-21 15:51 . 2003-07-16 16:17      471552      ----a-w-      c:\windows\AppPatch\aclayers.dll
2009-10-29 07:45 . 2003-07-16 16:45      916480      ------w-      c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 07:56      75776      ----a-w-      c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56      25088      ----a-w-      c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00      265728      ------w-      c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2003-07-16 16:34      270336      ----a-w-      c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2003-07-16 16:36      149504      ----a-w-      c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2003-07-16 16:36      79872      ----a-w-      c:\windows\system32\raschap.dll
2009-10-05 13:05 . 2008-06-28 16:33      83288      ----a-w-      c:\windows\system32\LMIRfsClientNP.dll
2009-10-05 13:05 . 2008-06-28 16:33      28984      ----a-w-      c:\windows\system32\LMIport.dll
2009-10-05 13:05 . 2008-06-28 16:33      87352      ----a-w-      c:\windows\system32\LMIinit.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"ESInetConnect"="c:\eaglesoft\Shared Files\esinetconnect.exe" [2007-04-04 204800]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 63048]
"AlarmNotificator"="c:\documents and settings\DELL\Application Data\an\AlarmNotificator.exe" [2009-12-29 10752]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ClaimX Notify.lnk - c:\windows\Installer\{110F875C-2716-482B-ADD9-A5F4AEF4C14D}\_5af141bb.exe [2009-6-17 1078]
SmartCapture.lnk - c:\windows\Seiko\slpcap.exe [2008-6-28 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-05 13:05      87352      ----a-w-      c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute      REG_MULTI_SZ         autocheck autochk *\0aswBoot.exe /A:* /L:English /KBD:3

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-01-23 18:31      126976      ----a-w-      c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-01-23 18:36      155648      ----a-w-      c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\EagleSoft\\Shared Files\\esinetconnect.exe"=
"c:\\EagleSoft\\Shared Files\\ESTechUtil.exe"=
"c:\\EagleSoft\\Shared Files\\EagleSoft.exe"=
"c:\\EagleSoft\\Shared Files\\techaid.exe"=
"c:\\EagleSoft\\Shared Files\\ESMessenger.exe"=
"c:\\EagleSoft\\Shared Files\\dbeng7.exe"=
"c:\\Program Files\\ClaimX\\ClaimXClient.exe"=
"c:\\Program Files\\ClaimX\\ClaimXClientNotify.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM
"135:UDP"= 135:UDP:DCOM2

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2/28/2008 2:31 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [6/28/2008 10:33 AM 47640]
R3 XNetMirror;XNetMirror;c:\windows\system32\drivers\xmirror.sys [6/17/2009 8:26 AM 2695]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - AvgLdx86

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12      REG_MULTI_SZ         Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.

**************************************************************************
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:PlymouthIT
ID: 26151132
Cmbofix log file
0
 
LVL 13

Expert Comment

by:upalakshitha
ID: 26151844
Still Didn't u try system restore? ,if it fails try from ERD Commander
0
 
LVL 22

Expert Comment

by:optoma
ID: 26152185
That message which appears:
Is there any hyperlink in it?If there is right click the hyperlink, select properties and note the website address.

Could you run a quick scan with Hitman Pro http://www.surfright.nl/en/hitmanpro (you can uninstall it after a restart)
Make note of any detections + their locations, if any.

Also check these out with Virustotal:http://www.virustotal.com/
c:\documents and settings\DELL\Application Data\an\StartIE.exec:\documents and settings\DELL\Application Data\an\ProblemExample.dllc:\documents and settings\DELL\Application Data\anc:\documents and settings\DELL\Application Data\an\AlarmNotificator.exe

Lastly run Active Ports and note which program is Port 135 tied to
http://majorgeeks.com/Active_Ports_d682.html

0
 

Author Comment

by:PlymouthIT
ID: 26155638
Optoma:

Thanks for your help. I deleted the files in the AN directory. This cleared the bogus message and website link information within the popup window. Now I have to find what is triggering the popup window.  I was hoping Hitman would have located it. no go  What is triggering the pop window to reopen ever 8 minutes. Any ideas?

Combo fix was not successful at locating the problem this time.
0
 
LVL 22

Accepted Solution

by:
optoma earned 1000 total points
ID: 26155689
Leave Process Explorer running on machine and whatever is triggering it should appear in it

 Process Explorer.
In it ,hit options and select "verify image signatures"
Then hit view,select columns and check "verified signer"
Hit options again and select "difference highlight duration" and set it to nine seconds

Get a screen shot of process and attach images in a folder attachment
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Did you change to get a Url from a link within message,if any?
Also port 135-anything in Active Ports?

0
 
LVL 22

Expert Comment

by:optoma
ID: 26155693
Should Read:
Did you get a Url from a link within that popup message?
0
 

Author Closing Comment

by:PlymouthIT
ID: 31671413
It is great having the experts to work with. I too help as much as time will permit and it's great feeling when you find the problem.  

Optoma thank you and the others that helped out.

Happy New Year!
0
 
LVL 22

Expert Comment

by:optoma
ID: 26156015
No prob and you're welcome.

Out of interest did Process Explorer or Active ports point out anything?
0
 

Author Comment

by:PlymouthIT
ID: 26174271
optoma:

I used Active Ports. I listed the file AlarmNotificator.exe as active. I stopped the file using Active Ports and deleted it in the AN directory. The End :-)

0
 

Author Comment

by:PlymouthIT
ID: 26174288
optoma:

I used Active Ports. It listed the file AlarmNotificator.exe as active. I stopped the file and then deleted it in the AN directory. The End :-)

0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question