 Was/am Infected |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.
To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.
  |
 Apr 22 2008, 08:56 PM
Post
#1
|
|
|
Forum Regular  Group: Members Posts: 313 Joined: 27-April 06 From: Richmond, BC, Canada Member No.: 65,800  |
After installing Norton Ghost yesterday, today, when i started up my computer, my TrendNet Pc-Cillin anti-virus program picked up a virus. It also kept popping up a "dangerous website - close web browser and do not reopen" msg even tho i wasn't even browsing the internet. I'm pretty sure that's a case of virus/spyware. And a dialog kept poping up...said my comp had a virus It said it cleaned it...and I should reboot. I did, but i'm not sure if it's 100% removed (if it even is). I did a couple of scan...but I still want to be sure it's all cleaned up. Thanks. Edit: I think the virus is still there....the "dangerous website - close web browser and do not reopen" msg still kept reappearing, w/ sites im not on And, the comp is really running a lot slower than before. A "DrWatson Debugger failed...needs to close" error msg also appears...after the whole system freezes...a reboot is needed. I'm on Win XP Pro. This post has been edited by funnytim: Apr 23 2008, 01:10 AM |
 |
 
|
|
Apr 23 2008, 08:29 PM
Post
#2
|
|
 To INSANITY and BEYOND !! Group: Moderator Posts: 7,981 Joined: 10-September 04 From: NJ USA Member No.: 2,608 |
Hello, I need to ask if you meant Trend Micro not Trend net. Have you tried scanning from safe mode with the anyivirus?
Please download Malwarebytes Anti-Malware and save it to your desktop. alternate download link 1 alternate download link 2
-------------------- Can you spare some PC cycles to help FIND A CURE .. BC FOLDING TEAM Click me /info..
ThoughtVent a goodplace to discuss.<<>>>Staying Updated Calendar of Updates. For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear.... |
|
|
|
|
Apr 23 2008, 09:11 PM
Post
#3
|
|
|
Forum Regular Group: Members Posts: 313 Joined: 27-April 06 From: Richmond, BC, Canada Member No.: 65,800 |
Yes, I meant Trend Micro PC-Cillin, Not trendnet (i got a new wireless router a while ago by trendnet...got them confused) sry!
Here is my log: Malwarebytes' Anti-Malware 1.11 Database version: 676 Scan type: Quick Scan Objects scanned: 38132 Time elapsed: 7 minute(s), 3 second(s) Memory Processes Infected: 0 Memory Modules Infected: 2 Registry Keys Infected: 14 Registry Values Infected: 3 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 7 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\nnnnLcDW.dll (Trojan.Vundo) -> Unloaded module successfully. C:\WINDOWS\system32\rqRLfgHY.dll (Trojan.Vundo) -> Unloaded module successfully. Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{f50b3f5e-856e-4757-9bb1-b35d46ca7719} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f50b3f5e-856e-4757-9bb1-b35d46ca7719} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnnlcdw (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f50b3f5e-856e-4757-9bb1-b35d46ca7719} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bcab133f (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMbf9820a3 (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\nnnnLcDW.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\rqRLfgHY.dll (Trojan.Vundo) -> Delete on reboot. C:\Documents and Settings\Timothy Leung\Local Settings\Temporary Internet Files\Content.IE5\WD8X18GS\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\amrnnhds.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\ymngkqvr.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\svehost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully. C:\Documents and Settings\Timothy Leung\Desktop\lsass.zip (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully. (Ran in safe mode). Thanks. Also, after running the scan, the computer seems to be "half" in Safe mode. (I selected boot Windows normally after the scan). Only administrator accounts appear on the welcome screen, and the computer theme is the classic version (like the one in safe mode), not the XP blue style. It does not say the " Safe Mode" text anywhere. I've tried doing another reboot, to no avail. Thanks. This post has been edited by funnytim: Apr 23 2008, 09:18 PM |
|
|
|
|
Apr 23 2008, 09:44 PM
Post
#4
|
|
 Visiting Alien Group: Members Posts: 4,162 Joined: 20-May 07 From: millenium falcon and rockytop Member No.: 131,963 |
QUOTE Hello, I need to ask if you meant Trend Micro not Trend net. Have you tried scanning from safe mode with the anyivirus? MBAM is mostly meant to run in normal mode when it's full strength See if you can repeat the scan in normal mode if not then you'll need to use Superantispyware from safe mode -------------------- Chewy
life is like a box of chocolates and stupid is as stupid does but you can always run |
|
|
|
|
Apr 23 2008, 10:38 PM
Post
#5
|
|
|
Forum Regular Group: Members Posts: 313 Joined: 27-April 06 From: Richmond, BC, Canada Member No.: 65,800 |
I've tried running the scan in "normal mode".
After the scan, it asks me to reboot. I do so. Afterward, i run the scan again, but the same trojans keep showing up. And as i said before, the comp seems to be "half in safe mode" (see post above). Thanks. |
|
|
|
|
Apr 23 2008, 10:50 PM
Post
#6
|
|
|
Visiting Alien Group: Members Posts: 4,162 Joined: 20-May 07 From: millenium falcon and rockytop Member No.: 131,963 |
download SAS
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE update it, close the program, reboot into safe mode, run the program, let it fix/remove any malware post the log into a reply -------------------- Chewy
life is like a box of chocolates and stupid is as stupid does but you can always run |
|
|
|
|
Apr 23 2008, 11:12 PM
Post
#7
|
|
|
Forum Regular Group: Members Posts: 313 Joined: 27-April 06 From: Richmond, BC, Canada Member No.: 65,800 |
I should also mention, my internet seems to be very slow right now. It's taking forever to download SAS.
As i mentioned above, I just got a new TrendNet TEW-852BPR wireless router. Could that be affected the internet speed, or could it be the virus? My other computer's internet is also very slow. (I'm currently downloading SAS...will run the scan and post back the log ASAP). |
|
|
|
|
Apr 23 2008, 11:25 PM
Post
#8
|
|
|
Visiting Alien Group: Members Posts: 4,162 Joined: 20-May 07 From: millenium falcon and rockytop Member No.: 131,963 |
It's best to tackle one problem at a time, it's always better to use wired connections for download, wireless works great some times and awful other tmes
It's a lot of trouble to try and fix a badly infected computer and often it's a good idea to disconnect it from the internet You may be fixing one problem and then a hidden component is downloading and replacing or even upgrading malware you removed. -------------------- Chewy
life is like a box of chocolates and stupid is as stupid does but you can always run |
|
|
|
|
Apr 23 2008, 11:35 PM
Post
#9
|
|
|
Forum Regular Group: Members Posts: 313 Joined: 27-April 06 From: Richmond, BC, Canada Member No.: 65,800 |
I couldn't even download it....the download froze halfway. Tried again, same thing. I had to use my other computer to download it, then transfer it over.
Then, it can't install. Says "system administrator has set policies to prevent this installation". My account is an administrator account. I've also tried using the default admin account, but same msg appears. so...i can't even install it. |
|
|
|
|
Apr 24 2008, 12:18 AM
Post
#10
|
|
|
Forum Regular Group: Members Posts: 313 Joined: 27-April 06 From: Richmond, BC, Canada Member No.: 65,800 |
Oops, didnt see ur above reply.
I should've mentioned, I'm connected to my wireless router via Wired...so yea. I've disconnected my infected comp from the internet now. (pls see my above post)thxs Edit: Not sure if it's just my bad internet right now, but I can't acess some websites like Facebook (I can through a proxy though...sometimes), even on my (hopefully)uninfected computer. This post has been edited by funnytim: Apr 24 2008, 02:02 AM |
|
|
|
|
Apr 24 2008, 06:09 AM
Post
#11
|
|
|
Visiting Alien Group: Members Posts: 4,162 Joined: 20-May 07 From: millenium falcon and rockytop Member No.: 131,963 |
It's pretty obvious the infection is getting worse, or you have added a new one to an older one, the vundo is obvious in the log and looks to be something fairly recent and particularly nasty
http://www.bleepingcomputer.com/forums/ind...10&hl=vundo You could try this but I doubt it would work The hijackthis forum is still backed up and very busy Your infection really extends beyond the realm of the selfhelp tools -------------------- Chewy
life is like a box of chocolates and stupid is as stupid does but you can always run |
|
|
|
|
Apr 24 2008, 10:44 AM
Post
#12
|
|
|
Forum Regular Group: Members Posts: 313 Joined: 27-April 06 From: Richmond, BC, Canada Member No.: 65,800 |
O man....how did i get this infection?!!?
The day before, I used internet explorer instead of Opera, which is what i usually used. Wonder if that's the problem.. Thanks, I will try that link you gave me when i get home (am currently at school). If it doesn't work, I'm guess I should post a hijackthis this log in the HiJackthis forum? For security measures, i've also disconnected my computer from the internet. |
|
|
|
|
Apr 24 2008, 11:01 AM
Post
#13
|
|
|
Visiting Alien Group: Members Posts: 4,162 Joined: 20-May 07 From: millenium falcon and rockytop Member No.: 131,963 |
QUOTE After installing Norton Ghost yesterday QUOTE O man....how did i get this infection?!!? coincidence, depends upon where you got ghost? one little trojan downloader can be 20 KB if I remember right, I did a test to see why my clients using limewire were all hosing their computers a couple of years ago, I was going to reload the computer anyway, you've never seen a wookie pull a cat 5 cable so fast -------------------- Chewy
life is like a box of chocolates and stupid is as stupid does but you can always run |
|
|
|
|
Apr 24 2008, 12:01 PM
Post
#14
|
|
|
Forum Regular Group: Members Posts: 313 Joined: 27-April 06 From: Richmond, BC, Canada Member No.: 65,800 |
haha...you're right..
OK, i'll try the link you sent me when i get home, & i'll post any results i get. but when i tried installing SAS yesterday , remember i got that error message ? that msg Might come up again if i i try installing those 2 you sent me..guess we'll see. Thanks! |
|
|
|
|
Apr 24 2008, 11:33 PM
Post
#15
|
|
|
Forum Regular Group: Members Posts: 313 Joined: 27-April 06 From: Richmond, BC, Canada Member No.: 65,800 |
OK, tried both tools, both found something apparantely, cleaned + restarted it, but MAM still finds the trojan.
|
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 29th August 2008 - 12:46 AM |
© 2003-2008 All Rights Reserved Bleeping Computer LLC.