Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm Infected Need Help Badly Please


  • This topic is locked This topic is locked
6 replies to this topic

#1 techi

techi

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 13 March 2008 - 02:38 PM

Hi All,
I have been infected with a trojan or something similar, I have noticed this thing keeps creating lots of *.tmp files in my windows\temp directory.
I have zonealarm internet security / spybot & superantispyware installed as per reading messages from this site.

It seems to create these files and send mass emails from my system as per netstat.exe in command prompt.

I can prevent the sending spam with zonealarm by disabling services.exe - but this will cause its own set of problems I would imagine.

I have a log from superantispyware and others however as per header I will not attach until requested I assume this is correct procedure.

Hopefully someone can help as I have tried everything I know for the past 4 days and my head is melted and the wife very lonely :thumbsup:

Cheers
Martin

BC AdBot (Login to Remove)

 


#2 helpingRocks

helpingRocks

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:55 PM

Posted 13 March 2008 - 05:42 PM

please post the superantispyware log if you could =]

#3 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:55 AM

Posted 13 March 2008 - 08:43 PM

Please follow the instructions here:
http://www.bleepingcomputer.com/forums/t/18610/how-to-remove-winfixer-virtumonde-msevents-trojanvundob/

Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use +A)
  • Right-click again and chose "Copy" (or +C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#4 techi

techi
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 14 March 2008 - 01:09 PM

Hi Billy & Helpinrocks,

I have done as requested and copied logs also hopefully you can spot something.

Eset Log
========
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2948 (20080314)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=d31142772f5c5c469ba6c8944190b0c2
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-03-14 05:24:18
# local_time=2008-03-14 05:24:18 (+0000, GMT Standard Time)
# country="Ireland"
# osver=5.1.2600 NT Service Pack 2
# scanned=189491
# found=1
# scan_time=4772
C:\Program Files\Mozilla Firefox\readme.bat probably a variant of Win32/Agent trojan (unable to clean - deleted) 00000000000000000000000000000000


Superantispyware Log
====================
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/13/2008 at 12:41 PM

Application Version : 4.0.1154

Core Rules Database Version : 3418
Trace Rules Database Version: 1410

Scan type : Complete Scan
Total Scan Time : 01:39:22

Memory items scanned : 168
Memory threats detected : 0
Registry items scanned : 5423
Registry threats detected : 0
File items scanned : 40560
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\Martin Browne\Cookies\martin_browne@revenue[2].txt
C:\Documents and Settings\Martin Browne\Cookies\martin_browne@server.iad.liveperson[1].txt
C:\Documents and Settings\Martin Browne\Cookies\martin_browne@server.iad.liveperson[3].txt

Trojan.Downloader-Gen/A
C:\RECOVERED\APPS\MOBILE_PHONE_UNLOCKING_TOOLS_-_SUPERPACK\MOBILEPHONE._20UNLOCKINGTOOLSL_20SUPERPACK\NEW_CALC_BY_MROA_1.3\A.EXE


Spybot S&D Log
==============
13/03/2008 01:24:07 Allowed (based on user decision) value "SpybotDeletingB4153" (new data: "command /c del "C:\PROGRAM FILES\NOADWARE5.0\nutils.dll"") added in System Startup user entry!
13/03/2008 01:24:20 Allowed (based on user decision) value "SpybotDeletingD8797" (new data: "cmd /c del "C:\PROGRAM FILES\NOADWARE5.0\nutils.dll"") added in System Startup user entry!
13/03/2008 01:24:30 Allowed (based on user decision) value "SpybotDeletingA8425" (new data: "command /c del "C:\PROGRAM FILES\NOADWARE5.0\nutils.dll"") added in System Startup global entry!
13/03/2008 01:24:39 Allowed (based on user decision) value "SpybotDeletingC2213" (new data: "cmd /c del "C:\PROGRAM FILES\NOADWARE5.0\nutils.dll"") added in System Startup global entry!
13/03/2008 10:45:27 Allowed (based on user decision) value "!SASWinLogon" (new data: "") added in Winlogon Notifiers!
13/03/2008 10:46:39 Allowed (based on user decision) value "SUPERAntiSpyware" (new data: "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe") added in System Startup user entry!
13/03/2008 15:08:01 Allowed (based on user decision) value "SpybotDeletingB4153" (new data: "") deleted in System Startup user entry!
13/03/2008 15:08:03 Allowed (based on user decision) value "SpybotDeletingD8797" (new data: "") deleted in System Startup user entry!
13/03/2008 15:08:07 Allowed (based on user decision) value "SpybotDeletingA8425" (new data: "") deleted in System Startup global entry!
13/03/2008 15:08:07 Allowed (based on user decision) value "SpybotDeletingC2213" (new data: "") deleted in System Startup global entry!
13/03/2008 23:24:52 Allowed (based on user decision) value "wextract_cleanup0" (new data: "rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\MARTIN~1\LOCALS~1\Temp\IXP000.TMP\"") added in System Startup global entry!
13/03/2008 23:25:34 Allowed (based on user decision) value "wextract_cleanup0" (new data: "") deleted in System Startup global entry!
14/03/2008 00:11:26 Allowed (based on user decision) value "wextract_cleanup0" (new data: "rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\MARTIN~1\LOCALS~1\Temp\IXP000.TMP\"") added in System Startup global entry!
14/03/2008 00:19:32 Allowed (based on user decision) value "wextract_cleanup0" (new data: "") deleted in System Startup global entry!
14/03/2008 16:02:41 Allowed (based on user decision) value "{56762DEC-6B0D-4AB4-A8AD-989993B5D08B}" (new data: "") added in ActiveX Distribution Unit!

I have a snapshot of Zonealarm logs as I cant find the location of log file, i can email if required, could not see an option to attach it here.

Thanks
Martin

Edited by boopme, 15 March 2008 - 12:38 PM.
removed HJT Log


#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:55 AM

Posted 14 March 2008 - 03:04 PM

Greetings in Ireland!
Please do not post HJT logs here.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 5...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "English".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe
  • Follow the on screen instructions to install the latest Java version.

Also, your HJT is the wrong version.

If you still want the HJT team to look at your log, please post your log in a new topic in the Hijack This Logs and Malware Analysis Forum.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 techi

techi
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 15 March 2008 - 10:08 AM

Hi Billy,
Have done as requested and rerun tests, logs attached, superantispyware found something, please advise next step. (New Version Java Installed)


Eset Log
======
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2949 (20080315)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=d31142772f5c5c469ba6c8944190b0c2
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-03-15 12:50:59
# local_time=2008-03-15 12:50:59 (+0000, GMT Standard Time)
# country="Ireland"
# osver=5.1.2600 NT Service Pack 2
# scanned=190153
# found=0
# scan_time=4798

Superantispyware Log
==============

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/15/2008 at 02:44 PM

Application Version : 4.0.1154

Core Rules Database Version : 3420
Trace Rules Database Version: 1412

Scan type : Complete Scan
Total Scan Time : 01:27:26

Memory items scanned : 415
Memory threats detected : 0
Registry items scanned : 5433
Registry threats detected : 0
File items scanned : 49247
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\Martin Browne\Cookies\martin_browne@hitbox[2].txt
C:\Documents and Settings\Martin Browne\Cookies\martin_browne@ehg-eset.hitbox[2].txt

Adware.E404 Helper/Variant-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9A3A1826-3C08-47E6-B001-DC7D836B6A7A}\RP70\A0017076.DLL

RootKit.Unclassified/PolyMorph-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9A3A1826-3C08-47E6-B001-DC7D836B6A7A}\RP72\A0018032.SYS


Regards
Martin

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:55 PM

Posted 15 March 2008 - 12:40 PM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users