Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not Sure I Won My Fight Over Trojans And Virus


  • This topic is locked This topic is locked
32 replies to this topic

#1 bj91

bj91

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 05 April 2008 - 05:31 AM

Hi.
I've fought against vundo/virtumonde and won following many advices i've read on these boards.
It seems everything 's ok now. Yet i have some suspicious entries on my hijackfiles and DSS so I submit them here to be sure i'm done with that.

My concerns goes to these lines. I dunno what these files are.

O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [asqebeci] C:\WINDOWS\system32\luzclmxa.exe
O4 - HKCU\..\Run: [uaxzraga] C:\WINDOWS\system32\cbkhcpiv.exe


luzclmxa.exe does not exist anymore on my pc, same for cbkhcpiv.exe. So i wonder why these entries still shows.
Don't know what vidalia is.

Should i fix these lines with hijackthis?
Cheers

Attached Files



BC AdBot (Login to Remove)

 


#2 katana

katana

    MRU Expert


  • Members
  • 170 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester (UK)
  • Local time:06:01 AM

Posted 12 April 2008 - 08:30 AM

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly

I apologize for the delay in responding, but as you can probably see the forums are quite busy.
Unfortunately there are far more people needing help than there are helpers.

----------------------------------------------------------------------------------------


Disable Teatimer
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.


VundoFix
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Posted Image

#3 bj91

bj91
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 12 April 2008 - 01:43 PM

Here are the two logs. Vundofix found nothing.

(Note : just to let you know, one day before you replied I used malaware antispyware and spybot and they removed the lines I posted about -yet spybot found Smitfraud.C in two registry entries, so I suspect i still have a virus and malaware removed a vundo entry too).

Attached Files


Edited by bj91, 12 April 2008 - 02:36 PM.


#4 katana

katana

    MRU Expert


  • Members
  • 170 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester (UK)
  • Local time:06:01 AM

Posted 12 April 2008 - 04:18 PM

I'm afraid I have unpleasant news for you. You have a Very Dangerous infection on this machine.
The infection is delivered by Backdoor.Ranky
It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.

The Decision Whether to ReFormat or Not should be based on:
  • The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.
  • The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect. IN THIS CASE we have a Backdoor Trojan, the worst kind.
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.
While you are deciding whether to ReFormat and Re-Install, a useful link is here: http://www.dslreports.com/faq/10063
Please let me know what you decide.
Posted Image

#5 bj91

bj91
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 12 April 2008 - 05:02 PM

Considering the fact this computer has no real risky datas on it and that reinstalling all the stuff i do for music composing would be a pain in the ass i prefer trying to remove the trojan than reinstalling.

#6 katana

katana

    MRU Expert


  • Members
  • 170 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester (UK)
  • Local time:06:01 AM

Posted 12 April 2008 - 05:04 PM

No problem, I'll be back shortly with some instructions :thumbsup:
Posted Image

#7 katana

katana

    MRU Expert


  • Members
  • 170 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester (UK)
  • Local time:06:01 AM

Posted 12 April 2008 - 05:07 PM

SD Fix

Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F5 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that


Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.


Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Go Here http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • SDFix Log
  • ComboFix Log
  • Installed Programs Log
  • Kaspersky Log

Posted Image

#8 bj91

bj91
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 12 April 2008 - 05:12 PM

Litte question :
Before all this do i need to stop system restoration?

#9 katana

katana

    MRU Expert


  • Members
  • 170 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester (UK)
  • Local time:06:01 AM

Posted 12 April 2008 - 05:14 PM

Nope, you should leave System restore running.

Malware can and does play havoc when you try and remove it.
It is better to have an infected restore point than a dead machine.
Posted Image

#10 bj91

bj91
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 12 April 2008 - 05:15 PM

Do i need to do all those scans in safe mode or just the first one?

Edited by bj91, 12 April 2008 - 05:19 PM.


#11 bj91

bj91
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 12 April 2008 - 05:22 PM

Well i have difficulties to download combofix. Each time i try bit defender tells me it's a backdoor.vb.xd virus and it won't load.

#12 katana

katana

    MRU Expert


  • Members
  • 170 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester (UK)
  • Local time:06:01 AM

Posted 12 April 2008 - 05:27 PM

Only the first scan needs to be done in safe mode.

You will need to disable Bitdefender to download and run combofix,
Posted Image

#13 bj91

bj91
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 12 April 2008 - 06:11 PM

Ok here are the SD fix and combofix reports.

Attached Files


Edited by bj91, 12 April 2008 - 06:24 PM.


#14 bj91

bj91
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 12 April 2008 - 06:21 PM

Here's the uninstall list from hijackthis.
Now running AVG (already having found 2 viruses and 6 infected files and it's just a beginning it seems).

Attached Files


Edited by bj91, 12 April 2008 - 06:27 PM.


#15 bj91

bj91
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 12 April 2008 - 08:09 PM

Here's Kaspersky log and I'm done.

Now I'm waiting for next steps.

Attached Files


Edited by bj91, 12 April 2008 - 08:10 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users