Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91681 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] This Computer is (also) Being Attacked


  • This topic is locked This topic is locked
3 replies to this topic

#1 wanderkind

wanderkind

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 17 November 2009 - 03:12 AM

UPDATE:

Well don't I feel like a fool, now that I settled down and had access to a web browser that works and being able to snoop around the forums, apparently it was just some silly spyware that was easily removed (or so far it would seem) with Malwarebytes. Sorry for making such a big post about nothing. I'll definitely be lurking around here to avoid wasting space in the future, lol. >.<

Thank you for the awesome assistance I am sure you would have provided if I wasn't such a fool :blush:

______________________

Hello WTTers :)

Today I started recieving some worrying error messages, generally I get two pop ups,

Pop up 1:

Pop up "WARNING" box with a red circle crossed out:
Application cannot be executed. The file is infected. Please activate your antivirus software.

This one is usually triggered by my actions on the computer when I try to open items/run programs, or sometimes when trying to right click to change program settings, it also opens up when I try to open the task manager via ctrl+alt+delete (and closes the task manager - and often any program related to it opening up, or refuses my access).

This pop up is usually followed by another pop up box of the same style,

Pop up 2:

"Attention! System detected a potential hazard (TrojanSPM/LX) on your computer that may infect executable files. You private information and PC safety is at risk. To get rid of unwanted spyware and keep your computer safe you need update your current security software. Click OK to download official intrusion detection system (IDS software)"

(word for word, typos and all)

I so far just "X" this out instead of hitting OK, though I might have hit OK the first time this popped up in my carelessness.

This second one also just pops up on the screen every now and then even when I am taking no action.

Disconcertingly enough, it also changed my desktop background to an image that said WARNING Your computer is infected. And also the "Red circle with white x" image is now in my tray.

I did a full scan with Avira Antivirus and it didn't detect anything unusual. I can't save any logs/records because I am attacked by these pop ups whenever I try.

I was able to run ERUNT fine.

I get Pop up 1 when trying to run the DDS from the getting started thread.

It also pops up when I run RootRepeal after I click OK on the "Select Scan" prompt and it begins running (too fast to catch what's up) and somethign seems to pop up but then this trojan or whatever brings out Pop up 1 again and whatever appeared is gone. However, afterwards I can still click the save report button and save the file.

I'm rather inept at computer stuff so I was really happy when I stumbled upon your site here.

Any help would be greatly appreciated :)

(I'll edit in the rootrepeal text momentarily)

Edit:
Oh I might also note that both my Avira (free version) and WinXP automatically update so I think they should be up to date.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/17 03:41
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\catchme.sys
Address: 0xBA3A8000 Size: 31744 File Visible: No Signed: -
Status: -

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xBA128000 Size: 60416 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAC117000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA608000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xBA644000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8916000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xba69a3e6

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xba69a3dc

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xba69a3eb

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xba69a3f5

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xba69a3fa

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xba69a3c8

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xba69a3cd

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xba69a404

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xba69a3ff

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xba69a3f0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xba69a3d7

==EOF==

Edited by wanderkind, 17 November 2009 - 04:02 AM.

    Advertisements

Register to Remove


#2 jpshortstuff

jpshortstuff

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,710 posts

Posted 17 November 2009 - 05:00 AM

Hi :) Is your problem resolved then? Let us know. Thanks.

Proud Graduate of the TC/WTT Classroom

At weekends (GMT) I may not be able to reply promptly due to various commitments. Please be patient and I will respond as soon as I can.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Need help remembering those important computer maintenance tasks? Let SCars do it for you.

Posted Image

#3 wanderkind

wanderkind

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 17 November 2009 - 05:13 PM

Yes, apparently it was a "fake trojan," running malwarebytes quick scan seemed to catch everything and allowing the computer to reboot when prompted returned everything to normal afterwards. Thanks for checking :)

#4 jpshortstuff

jpshortstuff

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,710 posts

Posted 17 November 2009 - 05:16 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Proud Graduate of the TC/WTT Classroom

At weekends (GMT) I may not be able to reply promptly due to various commitments. Please be patient and I will respond as soon as I can.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Need help remembering those important computer maintenance tasks? Let SCars do it for you.

Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users