Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stubborn Virus


  • This topic is locked This topic is locked
5 replies to this topic

#1 SFX

SFX

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 15 March 2008 - 05:36 AM

Hi, I'm new here (my first post) and would like the HJT team to help me out in cleaning out this stubborn virus. I'm an amateur malware removal helper (never receive any training whatsoever, all the advice are based on my computing experience) and I'm stuck on what is the next step I should do. Actually, it's from another forum that I'm helping by the same nickname as in here, SFX. The link to the topic is HERE. Please read through the topic posted by greykhkc and SFX to get an idea on the progress so far.

The victim of the virus is the threadstarter, greykhkc. The latest update is at post #22 (as of 01:17 PM, 15 March 2008, GMT +0800).

Attach here (in .zip file) is the HijackThis log, together with additional Kaspersky Online Scan log and SREng2 log from post #22.

Could you please advice me what is the next step I should take to remove this stubborn virus?

I will reply on Monday, 17 March 2008, GMT +0800. I created this topic in a hurry as I've limited time to use a PC. Sorry if I break any rules as I don't have time to go throughly. Thanks in advance.

Attached Files



BC AdBot (Login to Remove)

 


m

#2 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:10:35 PM

Posted 15 March 2008 - 10:19 AM

It would be best advised for you to refer the user here on his own,

I must say that the original log showed a servilely compromised system that the op should have been made aware of in the very first post. He had various worms on that machine that are capable of recording key strokes as well as stealing pass words.

Had the op come here he would have been given the following as the first reply due to the nature of the infections.

A backdoor Trojan can allow an attacker to
gain control of the system, log keystrokes, steal passwords, access personal
data, send malevolent outgoing traffic, and close the security warning
messages displayed by some anti-virus and security programs.

I would advise you to disconnect this PC from the Internet, and then go to
a known clean computer and change any passwords or security information held
on the infected computer. In particular, check whatever relates to online
banking financial transactions, shopping, credit cards, or sensitive
personal information. It is also wise to contact your financial institutions
to apprise them of your situation.

We will do our best to clean the computer of any infections seen on the log.
However, because of the nature of this Trojan, I cannot offer a total
guarantee that there are no remnants left in the system, or that the
computer will be trustworthy.

Many security experts believe that once infected with this type of Trojan,
the best course of action is to reformat and reinstall the Operating System.
Making this decision is based on what the computer is used for, and what
information can be accessed from it.

Knowing the above, let us know if you wish to proceed.


If nothing else you at least owe it to the op to inform him of this

#3 SFX

SFX
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 17 March 2008 - 06:04 AM

I've already informed the original poster from the forum that I'm posting and now waiting for reply (might take a few days depending on when the original poster reply to me).

Off-topic:
Just out of curiosity (for my own additional knowledge), I'm puzzled with these entries on the HJT log:

O4 - HKCU\..\Run: [Rtel] "C:\WINDOWS\system32\|3asks\dexplore.exe" -vt yazb. From my knowledge of computing so far, I never come across of a folder containing |. How come that it is allowed and created in this particular case?

Also, this entry: O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe. I've search the internet for this sstray.exe file and so far the result that I've got doesn't yield a good result. So, what does this executable file do and it is harmful?

Thanks in advance for those who can answer the above 2 questions.

#4 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:10:35 PM

Posted 17 March 2008 - 07:09 AM

Also, this entry: O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe. I've search the internet for this sstray.exe file and so far the result that I've got doesn't yield a good result. So, what does this executable file do and it is harmful?


http://www.castlecops.com/modules.php?name...matelSysTrayApp

identical match

O4 - HKCU\..\Run: [Rtel] "C:\WINDOWS\system32\|3asks\dexplore.exe" -vt yazb. From my knowledge of computing so far, I never come across of a folder containing |. How come that it is allowed and created in this particular case?


Do some researching on Purity

If you actually went after this folder

O4 - HKCU\..\Run: [Eps] "C:\Program Files\Common Files\?icrosoft.NET\r|?ndll.exe"

the folder would read as Microsoft.Net but the folder would show 0 size

#5 SFX

SFX
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 21 March 2008 - 05:26 AM

The op just reply me stating that his PC has been reformated. Guess that help is not needed. Moderator please close the topic. Thanks for don77 for taking time to reply my topic.

#6 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:10:35 PM

Posted 21 March 2008 - 12:36 PM

As you wish..

You very welcome :thumbsup:

Don




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users