Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

V.cmd And Ircbot.dme


  • Please log in to reply
25 replies to this topic

#1 KJLue

KJLue

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:39 AM

Posted 18 March 2008 - 10:17 AM

Hello, on separate occasions my antispayware and avg detected the following programs:

v.cmd on my pen drive and on my ipod. it doesnt detect them, but it shows up while it is scanning and i know that v.cmd is not a good thing. it doesnt list it or remove it.

ircbot.dme in mcafee. avg detected this and i then clicked heal but it moved it to the vault where i think it still might be.

both my crawler antispyware and avg do not detect anything or even these.

i then ran the combofix. I see the log but I don't see if it found anything or did anything because i don't understand the log. I dont want to use Hijackthis yet until someone tells me to, because it says that if something goes wrong i will not be able to detect the malware again.

Please help me! What should I do? Also, I don't have access to any known clean computers. All of them have some problem. Should I log on to them and change my passwords anyway?

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:39 AM

Posted 18 March 2008 - 10:50 AM

Hello. Welcome to Bleeping Computer. Please state your operating system. I assume it is XP since you have AVG.

First you will need to reformat your iPod. This will ensure that your computer does not get reinfected by the iPod.
  • Plug your iPod in.
  • Open My Computer.
  • Right click your iPod. Select Format. You will be asked for confirmation. Click OK leaving the options at default.
  • The reformatting will take a moment.
You iPod will now have been wiped clean. Please do not plug it back into your computer until this infection is fully removed.

Before we fun the next tool, we need you to clear your temp files. This saves the tool time going through them. We will do this using AFT Cleaner

Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Next we will run SDfix to scan for any trojans, including the one you mentioned.
  • Download SDfix setup onto your desktop.
  • Run the installer. Leave the install location at your system root.
  • After the install, boot into Safe Mode.
  • Click your Start Menu. Click Run. Type in c:\sdfix\runthis.bat. Hit OK.
  • The prompt window will open. Type Y and hit Enter.
  • Wait for the scan to finish.
  • You will be prompted to restart. Press anykey to do so. Allow Sdfix to boot the computer into normal boot.
  • At reboot, the prompt window will popup, along with a log shortly after. Copy the contents of the log back in your next reply.
Thank you for your patience. If you have any questions please feel free to ask.

Note that I might not be online to answer them myself. Another helper would be glad to. Also, there is no need to send me PM's. I will look through the topics and will usually repond to any with no replies

Edited by PropagandaPanda, 18 March 2008 - 10:51 AM.


#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:39 AM

Posted 18 March 2008 - 11:01 AM

Please by patient. I am writing my response now.

ATF cleaner is infected with new malware.bm


(from your PM)

Sorry, I don't understand. Does your anti-malware program detect AFT Cleaner as malware?

If so simply ignore it. and run the cleaner anyways.

#4 KJLue

KJLue
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:39 AM

Posted 18 March 2008 - 11:04 AM

i tried downloading the atf cleaner. I was told that it was infected with new malware.bm and could not be cleaned or deleted. I have formated the external drive and the ipod with my heart in my hands. :thumbsup:
Please tell me if i should proceed with the cleaner.

#5 KJLue

KJLue
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:39 AM

Posted 18 March 2008 - 11:10 AM

ok.

Edited by KJLue, 18 March 2008 - 11:14 AM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:39 AM

Posted 18 March 2008 - 11:24 AM

KJLue is best to keep your questions in the thread and not ask them via PM. Others with suggestions that could help with situtation such as you were dealing with have no idea what information was exchanged. This could lead to confusion or the lack of providing you with further assistance. I see you edited your last post to just say Ok. So does that mean your issues have been resolved with the reformat? You apparently had a Flash drive infection which can be transferred to your computer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 KJLue

KJLue
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:39 AM

Posted 18 March 2008 - 11:57 AM

No, I was just having a minor problem with sdfix which resolved itself. The problem is not fixed yet- not that I know of. Below is the log you mentioned. I was told not to plug anything back in until the process was completed. Thank you. I understood that and reposted the pm as you can see.

Please tell me what all this means and what further steps I should take. I am certain that my ipod and the flash drive had v.cmd and that my computer had an ircbot.dme in the avg vault. I am positive. they were not plugged in while sdfix was running


SDFix: Version 1.158

Run by Administrator on Tue 03/18/2008 at 09:34 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-18 21:42:50
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXE:*:Enabled:Windows Explorer"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Neverwinternights\\nwmain.exe"="C:\\Neverwinternights\\nwmain.exe:*:Enabled:Neverwinter Nights"
"D:\\programfiles\\avg\\avginet.exe"="D:\\programfiles\\avg\\avginet.exe:*:Enabled:avginet.exe"
"D:\\programfiles\\avg\\avgamsvr.exe"="D:\\programfiles\\avg\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"D:\\programfiles\\avg\\avgcc.exe"="D:\\programfiles\\avg\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"F:\\iTunes\\iTunes.exe"="F:\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 29 Nov 2007 1,351,651 A..H. --- "C:\Downloads\annual.zip"
Tue 8 Jan 2008 19,064,216 A..H. --- "C:\Downloads\hempuli_knyttxh.zip"
Wed 9 Jan 2008 26,529,613 A..H. --- "C:\Downloads\30stm_the_kill_internet.m4v.zip"
Thu 24 Jan 2008 143,774,635 A..H. --- "C:\Downloads\Hasslevania.zip"
Tue 11 Mar 2008 35,232,584 A..H. --- "C:\Downloads\jamesinneverland.zip"
Tue 18 Mar 2008 1,413,305 A..H. --- "C:\Downloads\Software\SDFix.exe"
Mon 1 Jan 2001 532,992 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL3891.tmp"
Tue 1 May 2007 484,864 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL0654.tmp"
Wed 2 May 2007 19,968 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL0004.tmp"
Wed 2 May 2007 50,176 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL0669.tmp"
Wed 2 May 2007 171,008 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL0623.tmp"
Wed 2 May 2007 353,792 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL3763.tmp"
Wed 2 May 2007 353,792 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL1259.tmp"
Tue 1 May 2007 382,464 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL0873.tmp"
Tue 1 May 2007 418,304 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL1447.tmp"
Mon 1 Jan 2001 19,968 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL4099.tmp"
Mon 1 Jan 2001 21,504 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL2541.tmp"
Mon 1 Jan 2001 21,504 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL3209.tmp"
Mon 1 Jan 2001 21,504 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL2637.tmp"
Mon 1 Jan 2001 21,504 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL0211.tmp"
Mon 1 Jan 2001 21,504 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL3079.tmp"
Mon 1 Jan 2001 22,016 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL3982.tmp"
Mon 1 Jan 2001 22,016 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL3596.tmp"
Mon 1 Jan 2001 22,528 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL0542.tmp"
Mon 1 Jan 2001 24,576 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL2533.tmp"
Mon 1 Jan 2001 24,576 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL3771.tmp"
Mon 1 Jan 2001 24,576 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL2517.tmp"
Mon 1 Jan 2001 24,576 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL3125.tmp"
Tue 1 May 2007 1,264,640 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL3888.tmp"
Mon 1 Jan 2001 1,317,888 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL2420.tmp"
Mon 1 Jan 2001 1,351,168 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL3567.tmp"
Mon 1 Jan 2001 24,576 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL3808.tmp"
Mon 1 Jan 2001 521,216 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL2159.tmp"
Mon 1 Jan 2001 538,112 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL2896.tmp"
Tue 29 May 2007 602,624 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL2737.tmp"
Mon 1 Jan 2001 25,600 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL1615.tmp"
Mon 1 Jan 2001 786,432 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL1596.tmp"
Mon 1 Jan 2001 25,600 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL1708.tmp"
Mon 1 Jan 2001 675,328 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL0040.tmp"
Mon 1 Jan 2001 27,136 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL0638.tmp"
Mon 1 Jan 2001 28,160 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL3459.tmp"
Mon 1 Jan 2001 754,176 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL1900.tmp"
Mon 1 Jan 2001 28,160 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL0808.tmp"
Mon 1 Jan 2001 28,160 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL1470.tmp"
Mon 1 Jan 2001 28,160 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL3017.tmp"
Mon 1 Jan 2001 28,672 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL3515.tmp"
Mon 1 Jan 2001 28,160 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL3743.tmp"
Mon 1 Jan 2001 29,184 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL1915.tmp"
Mon 1 Jan 2001 29,184 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL0900.tmp"
Mon 1 Jan 2001 29,696 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL1468.tmp"
Mon 1 Jan 2001 29,696 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\~WRL3126.tmp"
Sun 16 Mar 2008 160,261,957 A..H. --- "C:\System Volume Information\_restore{5B2935B0-DFC2-4E28-9206-9F853F9A2359}\RP163\A0517592.exe"
Wed 9 Jan 2008 36,346,669 A..H. --- "C:\System Volume Information\_restore{5B2935B0-DFC2-4E28-9206-9F853F9A2359}\RP147\A0487912.exe"
Tue 8 Jan 2008 40,948,645 A..H. --- "C:\System Volume Information\_restore{5B2935B0-DFC2-4E28-9206-9F853F9A2359}\RP147\A0487913.exe"
Mon 7 Jan 2008 98,801,519 A..H. --- "C:\System Volume Information\_restore{5B2935B0-DFC2-4E28-9206-9F853F9A2359}\RP147\A0487917.exe"
Fri 18 Jan 2008 98,801,519 A..H. --- "C:\System Volume Information\_restore{5B2935B0-DFC2-4E28-9206-9F853F9A2359}\RP147\A0488916.exe"
Tue 18 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT4.tmp"
Fri 5 Jan 2007 494,592 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL3017.tmp"
Sat 6 Jan 2007 507,392 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0427.tmp"
Sat 6 Jan 2007 529,408 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL2865.tmp"
Sat 6 Jan 2007 529,920 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL3438.tmp"
Sat 6 Jan 2007 529,920 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL2857.tmp"
Sat 6 Jan 2007 532,992 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL2467.tmp"
Sat 6 Jan 2007 540,672 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL2146.tmp"
Sat 6 Jan 2007 541,696 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1582.tmp"
Sat 6 Jan 2007 542,208 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0053.tmp"
Sat 6 Jan 2007 555,008 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0772.tmp"
Sat 6 Jan 2007 555,520 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0507.tmp"
Sat 6 Jan 2007 556,032 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1873.tmp"
Sat 6 Jan 2007 556,544 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1961.tmp"
Sat 6 Jan 2007 556,544 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0641.tmp"
Sat 6 Jan 2007 559,616 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL3364.tmp"
Sat 6 Jan 2007 567,808 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL2132.tmp"
Sat 6 Jan 2007 568,320 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1040.tmp"
Sat 6 Jan 2007 566,784 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0246.tmp"
Sat 6 Jan 2007 580,608 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL2833.tmp"
Sat 6 Jan 2007 580,608 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1511.tmp"
Sat 6 Jan 2007 581,120 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL3778.tmp"
Sat 6 Jan 2007 591,360 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0986.tmp"
Sat 6 Jan 2007 613,888 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0209.tmp"
Sat 6 Jan 2007 615,424 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1152.tmp"
Sat 6 Jan 2007 617,472 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL3095.tmp"
Sat 6 Jan 2007 622,592 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0726.tmp"
Sat 6 Jan 2007 623,104 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1383.tmp"
Sat 6 Jan 2007 623,104 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1660.tmp"
Sat 6 Jan 2007 624,640 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL2234.tmp"
Sat 6 Jan 2007 627,200 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1944.tmp"
Sat 6 Jan 2007 627,200 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0812.tmp"
Sat 6 Jan 2007 629,248 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0594.tmp"
Sat 6 Jan 2007 631,296 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL2193.tmp"
Sat 6 Jan 2007 631,296 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL2756.tmp"
Sat 6 Jan 2007 631,296 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL2511.tmp"
Sat 6 Jan 2007 631,296 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL3284.tmp"
Sat 6 Jan 2007 631,808 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0353.tmp"
Sat 6 Jan 2007 638,464 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL3940.tmp"
Sat 6 Jan 2007 654,336 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1425.tmp"
Sat 6 Jan 2007 655,360 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1439.tmp"
Sat 6 Jan 2007 664,064 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1441.tmp"
Sat 6 Jan 2007 664,064 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL3667.tmp"
Sat 6 Jan 2007 672,256 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL3896.tmp"
Sat 6 Jan 2007 672,256 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL3295.tmp"
Sat 6 Jan 2007 557,568 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0337.tmp"
Sat 6 Jan 2007 565,760 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL3098.tmp"
Sat 6 Jan 2007 566,784 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL3170.tmp"
Sat 6 Jan 2007 566,784 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL2283.tmp"
Sat 6 Jan 2007 574,976 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0848.tmp"
Sat 6 Jan 2007 583,168 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL4085.tmp"
Sat 6 Jan 2007 583,168 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL2830.tmp"
Sat 6 Jan 2007 591,360 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL3060.tmp"
Sat 6 Jan 2007 591,872 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0423.tmp"
Sat 6 Jan 2007 591,872 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0598.tmp"
Sat 6 Jan 2007 600,064 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0307.tmp"
Sat 6 Jan 2007 600,064 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0101.tmp"
Sat 6 Jan 2007 611,328 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL2781.tmp"
Sat 6 Jan 2007 622,592 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL3757.tmp"
Sat 6 Jan 2007 622,592 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0046.tmp"
Sat 6 Jan 2007 630,272 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1498.tmp"
Sat 6 Jan 2007 630,272 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL2597.tmp"
Sat 6 Jan 2007 638,976 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL3498.tmp"
Sat 6 Jan 2007 638,976 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL4091.tmp"
Sat 6 Jan 2007 646,656 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1777.tmp"
Sat 6 Jan 2007 646,656 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0952.tmp"
Sat 6 Jan 2007 646,656 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0073.tmp"
Sat 6 Jan 2007 646,656 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0338.tmp"
Sat 6 Jan 2007 653,824 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL2123.tmp"
Sat 6 Jan 2007 654,848 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1893.tmp"
Sat 6 Jan 2007 655,360 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0211.tmp"
Sat 6 Jan 2007 666,112 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL2775.tmp"
Sat 6 Jan 2007 666,112 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1247.tmp"
Sat 6 Jan 2007 675,328 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1724.tmp"
Sat 6 Jan 2007 682,496 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL2903.tmp"
Sat 6 Jan 2007 683,520 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1769.tmp"
Sat 6 Jan 2007 683,008 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL2918.tmp"
Sat 6 Jan 2007 697,344 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL2642.tmp"
Sat 6 Jan 2007 694,784 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL3609.tmp"
Sat 6 Jan 2007 702,464 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1834.tmp"
Sat 6 Jan 2007 704,000 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL3006.tmp"
Sat 6 Jan 2007 704,000 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1933.tmp"
Sat 6 Jan 2007 710,656 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL3758.tmp"
Sat 6 Jan 2007 719,360 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0730.tmp"
Sat 6 Jan 2007 719,360 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1435.tmp"
Sat 6 Jan 2007 728,064 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL2546.tmp"
Sat 6 Jan 2007 736,768 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0728.tmp"
Sat 6 Jan 2007 739,328 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL2081.tmp"
Sat 6 Jan 2007 752,640 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL2837.tmp"
Sat 6 Jan 2007 753,152 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1918.tmp"
Sat 6 Jan 2007 756,736 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL2556.tmp"
Sat 6 Jan 2007 757,248 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0725.tmp"
Sat 6 Jan 2007 786,944 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL3750.tmp"
Sat 6 Jan 2007 819,200 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1744.tmp"
Thu 11 Jan 2007 830,976 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL3061.tmp"
Thu 11 Jan 2007 832,000 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1113.tmp"
Thu 11 Jan 2007 828,416 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL1914.tmp"
Thu 11 Jan 2007 801,792 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0759.tmp"
Thu 11 Jan 2007 783,360 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL2619.tmp"
Thu 11 Jan 2007 776,704 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0244.tmp"
Thu 11 Jan 2007 772,096 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL3597.tmp"
Thu 11 Jan 2007 773,120 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0103.tmp"
Thu 11 Jan 2007 768,000 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\spss data\~WRL0754.tmp"
Fri 30 Mar 2007 29,696 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\damodaran\~WRL0154.tmp"
Sat 31 Mar 2007 41,472 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\damodaran\~WRL1493.tmp"
Sat 31 Mar 2007 41,472 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\damodaran\~WRL2470.tmp"
Sat 31 Mar 2007 41,472 ...H. --- "C:\Documents and Settings\Windows Xp\My Documents\damodaran\~WRL3713.tmp"
Tue 7 Mar 2000 473,600 A..H. --- "C:\Documents and Settings\Windows Xp\My Documents\My Completed Downloads\Blades of Heaven\Harmony.dll"

Finished!

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:39 AM

Posted 18 March 2008 - 01:24 PM

Did you do a physcial search of your drives for v.cmd? If not, use Windows Search feature > More advanced options to see if the file(s) are still present. To do this, go to Start -> Search and click For Files or Folders... or just press the Windows key + F key on the keyboard.
  • Click All files and folders.
  • Type in the name of the file under "Search by...criteria."
  • Click More advanced options and check these options:
    • "Search system folders"
    • "Search hidden files and folders"
    • "Search subfolders"
  • Then click "Search" to look for the file(s).
SDFix did not detect any serious infections.

Do you know what these files are?
C:\Downloads\annual.zip
C:\Downloads\hempuli_knyttxh.zip
C:\Downloads\30stm_the_kill_internet.m4v.zip
C:\Downloads\Hasslevania.zip
C:\Downloads\jamesinneverland.zip

WRL****.tmp file's are related to clipboard temps when wording with MS Word documents. See Description of how Word creates temporary files

Are you finding any suspicious processes in Task Manager?

I am certain that my ipod and the flash drive had v.cmd and that my computer had an ircbot.dme in the avg vault. I am positive.


When an anti-virus quarantines a file by moving it into a virus vault (chest), that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it.

Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge. Read the Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the backdoor Trojan was identified and removed by AVG, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Please read "When should I re-format? How should I reinstall?"
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 KJLue

KJLue
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:39 AM

Posted 18 March 2008 - 01:35 PM

Should I plug in the ipod and the flash drive and search them too? Or should I keep them at arms length. I did format them but at least the ipod retained its settings and the flash drive kept its name and the menu software that came with it.

I don't know what those are for sure, its not really my computer but I am allowed to do whatever I want with it. Annual.zip is a financial data file in zipped format. hempuli is a remake of knytt. the one after that is a level or a game of the related knytt. Neither of them ran and both did strange things. Never heard of jamesinneverland and I think Hasselvania might be a game - not my doing so I'm not sure.

I was searching google and I noticed that someone did a "kaspersky online scan" and v.cmd came up in that. Do you think I should plug in the things and run it too? I'm going to search just the computer for the files you said.

As for taskmanager, please define suspicious. I have been noticing things that I don't recognize. Today there is one different thing: alg.exe

#10 KJLue

KJLue
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:39 AM

Posted 18 March 2008 - 01:44 PM

The search is complete. I searched "my computer". It says there are no results to display.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:39 AM

Posted 18 March 2008 - 01:59 PM

By checking Task Manager for anything suspicious, I mean anything you don't recognize. alg.exe is related to Microsoft's Application Layer Gateway Service.

Anytime you come across a suspicious file or one that you do not recognize, search the name using Google or the following links:
BC's File Database
BC's Startup Programs Database
File Research Center
ThreatExpert Malware Search
If no search results are found, you are given the option to "Submit a New Sample".

You can delete any of those zip files you don't want.

Since your search did not yield any results, chances are the file was removed. However, it would not hurt to perform a scan with Kaspersky Webscan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:39 AM

Posted 18 March 2008 - 02:10 PM

Forgot to mention.

Removable media and flash drive infections usually involve malware that loads an autorun.inf file into the root folder of all drives (internal, external, removable). When the removable media is inserted, autorun looks for autorun.inf and automatically executes another malicious file to run on your computer. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled. Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read Danger USB! Worm targets removable memory sticks.

I recommend disabling the Autorun feature on USB and removable drives (especially an external drive used for backup) as a method of prevention. This should also allow you to safely perform a scan and keep the malicious file from automatically running and infecting your system.

The easiest way to disable Autorun on a specific drive is to download and use Tweak UI PowerToy.
  • After installation, launch Tweak UI, double-click on My Computer in the tree menu on the left, then click on AutoPlay > Drives. This will allow you to change the system settings for AutoPlay/autorun.
  • Uncheck the drives you want to disable AutoPlay on and click on Apply.
  • Next, click on the Types in the left tree. This allows you to control whether Autoplay is enabled for CD and DVD drives and removable drives. You may need to restart Tweak UI if it closes after step 2.
  • Uncheck the box to disable Autoplay for a particular type of drive.
  • Click Apply.
See "Disable Autorun/AutoPlay" for instructions with screenshots.
When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 KJLue

KJLue
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:39 AM

Posted 18 March 2008 - 04:55 PM

Thank you. I ran kaspersky on the flash drive and the ipod and it didn't find anything. I guess the formatting worked! :thumbsup: I didn't run it on the computer because it was taking too long.

Autorun reminds me of how I found the v.cmd on the flash drive. After my spyware terminator alterted about it, I blocked it. Afterwards, I couldn't open it at all by double clicking it or clicking open. I could only open it through the menu that comes with it. So thinking it was nothing, I removed it from the blocked list (and have been regretting it ever since). It never detected it again.

I ran the powertoy you mentioned and disabled autorun. I will keep what you said in mind. I suppose the only way around that is to right click and click open or explore or use the menu instead. I'm taking a deep breath and proceeding as if everything is ok. I haven't checked all the processes yet but I'll get around to that. I'm sure they are fine.

So I guess this means all is well (unless the fact that I ran combofix earlier before I posted means anything regarding the outcome). Thanks so much for your help! I guess I was lucky! You guys are awesome! If I see any horrid symptoms later I shall post (it has only been 3 days). The next step is (for anyone following this) to change the passwords. Is there anything else I should avoid to ensure that these two infections don't happen again?

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:39 AM

Posted 19 March 2008 - 08:18 AM

Your welcome.

...unless the fact that I ran combofix earlier before I posted means anything regarding the outcome

You should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"Best Practices - Internet Safety for 2008".
"Hardening Windows Security - Part 1 & Part 2".
"IE Recommended Minimal Security Settings".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 KJLue

KJLue
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:39 AM

Posted 19 March 2008 - 09:40 AM

This computer hasn't had a restore point created in a very long time, I'd say more than 4 years. Can the infection still save itself into it? Do I still need to do this? I'm afraid to do this because , if the old restore point was clean and this one has any hidden stuff, i'd be worse off.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users