PDA

View Full Version : please help!!



ehsan
2009-10-08, 10:29
I am running spybot sd and it found malware called fraud.windowsprotectionsuite.

I go to fix the selected problem and get an error message:
Cannot create file c:\windows\system32\drivers\etc\hosts
Access denied

what the f!

drragostea
2009-10-09, 04:22
Can you post a log of the results?
You can find it in the Advanced Mode of Spybot-SD. I don't have it installed atm, but it should be around the third tab or so. It'll saw "View logs". And then there'll be "View previous logs". There will be a [bunch] (not necessarily) of text files and the one you want to look for is:
Checks.YYMMDD-####. It'll latest date... Like it should be anywhere near this past week.

What did you do after Spybot finished the scan?
(My guess is that, your machine is infected with a Rouge AV [maybe it's symptoms are not actively showing] and Spybot is attempting to remove it's traces in the Windows HOSTS file. Either that or Spybot found references or traces on your machine without the infection actually being there)
Edit: I found a similar thread, which was started very recently:
http://forums.spybot.info/showthread.php?t=52316
-
It seems to be a redirection to the malicious link.

Alright, there's no need to copy the logs if you can confirm results in the link.
I would suggest you follow the instructions posted by Zenobia and get your own thread started in the Malware Removal Forums.

ehsan
2009-10-09, 09:57
is this what you need?

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
4-open-davinci.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
securitysoftwarepayments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
privatesecuredpayments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
secure.privatesecuredpayments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
getantivirusplusnow.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
secure-plus-payments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
www.getantivirusplusnow.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
www.secure-plus-payments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
www.getavplusnow.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
www.securesoftwarebill.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
secure.paysecuresystem.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
paysoftbillsolution.com=74.125.45.100


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2009-10-07 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-10-06 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-08-10 Includes\Dialer.sbi (*)
2009-10-06 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-10-06 Includes\HijackersC.sbi (*)
2009-09-29 Includes\Keyloggers.sbi (*)
2009-10-06 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-10-06 Includes\Malware.sbi (*)
2009-10-06 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-10-06 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-10-06 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-10-06 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-10-06 Includes\Trojans.sbi (*)
2009-10-06 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

drragostea
2009-10-10, 05:53
Edit: I found a similar thread, which was started very recently:
http://forums.spybot.info/showthread.php?t=52316
-
It seems to be a redirection to the malicious link.

Alright, there's no need to copy the logs if you can confirm results in the link.
I would suggest you follow the instructions posted by Zenobia and get your own thread started in the Malware Removal Forums.[/FONT]
Yeah, you two have similar symptoms. I would suggest you check out the Malware Removal Forums and start your own thread. Instructions are provided by Zenobia in the link above.

tashi
2009-10-13, 23:26
Instructions are provided by Zenobia in the link above.

Which directly is: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) ;)

Malware forum topic: http://forums.spybot.info/showthread.php?p=341785#post341785