Hello all,
I am new to this forum but have found alot of great info here.
In this thread I'm going to cover a new threat that hit me yesterday 02-07-09
When I got home my roomate told me that the computer was acting funny. In my investigation I found what I thought to be a spyware attack. He said that his daughter had been using my computer (oh brotha was my first thought, since mine is the only one in the house) and something strange was going on. I said, "No problem, i'll get it figured out", since i'm pretty damn good about these things.
Well, after messing with it for about 4 hours or so, I thought I had it. Running scans, regediting, all the fun stuff when you get something nasty. I run Norton 360 on my computer and have not had any problems. Well, usually i'm the only one using it, until I moved in with my roomate. Didn't think about setting the incomming attack blocker and notice, since I love messing with people that try hacking. Again, an 8 yr old was using my computer while I was at work and clicked on something that, well, F'd everything up.
This is a NASTY little "B" and thank gawd I googled it "perce.jpg.exe". Found this thread about it and a program to help. Thanks to an answer from Johnb35 I was able to download a program that scans for malware as Norton360 wasn't updated for this. It's not totally gone yet as this is a NEW Trojan, but at least I'm able to work on it easier than before. Also, I should mention here that Hdk20 had put up the thread that I found on google. Thanks!
If you have this problem, do what I found in johnb35's reply. Download this malware remover http://www.computerforum.com/131398-important-please-read-before-posting.html It has helped a ton!
This is the log from the malware remover, one note, the file winconfig.dll I could not find on any search I did after the reboot. I still have a few issues, but am working through them.
I have ALOT more access and can work freely to extract this issue.
Thanks!
SgtBluto
Here is the LOG:
Malwarebytes' Anti-Malware 1.33
Database version: 1740
Windows 5.1.2600 Service Pack 3
2/8/2009 10:27:02 PM
mbam-log-2009-02-08 (22-27-02).txt
Scan type: Quick Scan
Objects scanned: 59121
Time elapsed: 6 minute(s), 23 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 13
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\winconfig.dll (Trojan.FakeAlert) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d263fa6d-84cc-48a8-9af6-c664362b7a5b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d263fa6d-84cc-48a8-9af6-c664362b7a5b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d263fa6d-84cc-48a8-9af6-c664362b7a5b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\A360 (Rogue.A360Antivirus) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\winconfig.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Program Files\A360\av360.exe (Rogue.A360Antivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\INTERNET\Application Data\Microsoft\Internet Explorer\Quick Launch\A360.lnk (Rogue.Antivirus360) -> Quarantined and deleted successfully.
I am new to this forum but have found alot of great info here.
In this thread I'm going to cover a new threat that hit me yesterday 02-07-09
When I got home my roomate told me that the computer was acting funny. In my investigation I found what I thought to be a spyware attack. He said that his daughter had been using my computer (oh brotha was my first thought, since mine is the only one in the house) and something strange was going on. I said, "No problem, i'll get it figured out", since i'm pretty damn good about these things.
Well, after messing with it for about 4 hours or so, I thought I had it. Running scans, regediting, all the fun stuff when you get something nasty. I run Norton 360 on my computer and have not had any problems. Well, usually i'm the only one using it, until I moved in with my roomate. Didn't think about setting the incomming attack blocker and notice, since I love messing with people that try hacking. Again, an 8 yr old was using my computer while I was at work and clicked on something that, well, F'd everything up.
This is a NASTY little "B" and thank gawd I googled it "perce.jpg.exe". Found this thread about it and a program to help. Thanks to an answer from Johnb35 I was able to download a program that scans for malware as Norton360 wasn't updated for this. It's not totally gone yet as this is a NEW Trojan, but at least I'm able to work on it easier than before. Also, I should mention here that Hdk20 had put up the thread that I found on google. Thanks!
If you have this problem, do what I found in johnb35's reply. Download this malware remover http://www.computerforum.com/131398-important-please-read-before-posting.html It has helped a ton!
This is the log from the malware remover, one note, the file winconfig.dll I could not find on any search I did after the reboot. I still have a few issues, but am working through them.
I have ALOT more access and can work freely to extract this issue.
Thanks!
SgtBluto
Here is the LOG:
Malwarebytes' Anti-Malware 1.33
Database version: 1740
Windows 5.1.2600 Service Pack 3
2/8/2009 10:27:02 PM
mbam-log-2009-02-08 (22-27-02).txt
Scan type: Quick Scan
Objects scanned: 59121
Time elapsed: 6 minute(s), 23 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 13
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\winconfig.dll (Trojan.FakeAlert) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d263fa6d-84cc-48a8-9af6-c664362b7a5b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d263fa6d-84cc-48a8-9af6-c664362b7a5b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d263fa6d-84cc-48a8-9af6-c664362b7a5b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\A360 (Rogue.A360Antivirus) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\winconfig.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Program Files\A360\av360.exe (Rogue.A360Antivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\INTERNET\Application Data\Microsoft\Internet Explorer\Quick Launch\A360.lnk (Rogue.Antivirus360) -> Quarantined and deleted successfully.
