Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm New And I Got The Nasty


  • Please log in to reply
11 replies to this topic

#1 Aaron516

Aaron516

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 14 April 2008 - 05:32 PM

ok guys im new to this whole deal. Im the guy who doesnt run anything on his comp to protect it, so i guess this is my fault. I was lookin up honeymoon info on a WVCabins website or one very similar to it. Little bugs started eating holes in my screen for about 10 seconds followed by the stupid background that everyone is getting. I have like 19.2k internet connection, so i tried to download all the programs at school.. I will let you know how it goes once i run some of them.. i got... mbab setup.. daft.. fixware out..combo fix and one other one to show my registry. Ty for you help.. i definitely appreciate it.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,914 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:31 PM

Posted 14 April 2008 - 08:39 PM

Hello Please tell us the PC operating System (XP etc..)
please post the Mbam log.
Please go here and a install a free AV and scan,preferably from safe mode.
http://www.bleepingcomputer.com/forums/topic3616.html

Is your firewall turned on

Please DO NOT run these tools with out expert Guidance. It can cause your PC to become inoperable. fixware out..combo fix
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Aaron516

Aaron516
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 15 April 2008 - 04:24 PM

i am running xp on it. I dont think the cd i made in class is working, so i might have to try downloading from this 19.2k

#4 Aaron516

Aaron516
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 15 April 2008 - 06:50 PM

Malwarebytes' Anti-Malware 1.11
Database version: 634

Scan type: Full Scan (C:\|)
Objects scanned: 111329
Time elapsed: 46 minute(s), 39 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 8
Files Infected: 12

Memory Processes Infected:
C:\WINDOWS\system32\cssrss.exe (Backdoor.Knocker) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel.1 (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\Software\MyWebSearch (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\Software\Fun Web Products (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMDM PMSP Service (Backdoor.Knocker) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmona (Trojan.Downloader) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> No action taken.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> No action taken.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> No action taken.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> No action taken.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> No action taken.

Files Infected:
C:\System Volume Information\_restore{D786E964-6CC7-4FD3-A0E7-FB5ACB4EEE78}\RP381\A0293526.scr (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\blackster.scr (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\ctfmonb.bmp (Malware.Trace) -> No action taken.
C:\Program Files\MyWebSearch\bar\History\search (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWebSearch\bar\Settings\settings.dat (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWebSearch\bar\Settings\settings.htm (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> No action taken.
C:\WINDOWS\system32\cssrss.exe (Backdoor.Knocker) -> No action taken.
C:\WINDOWS\system32\ctfmona.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Savannah Nicole\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Savannah Nicole\Local Settings\Temp\.ttC.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Savannah Nicole\Local Settings\Temp\svchost.bin (Heuristics.Reserved.Word.Exploit) -> No action taken.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,914 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:31 PM

Posted 15 April 2008 - 07:46 PM

Hello again, Your PC is exposed to a backdoor trojan and a high risk one at that.
Backdoor.Knocker is downloaded onto the computer by another threat and installs itself on the system. It will periodically report back to its home server the local operating system version, IP address and open port number. This information may then be subsequently used by the author/attacker to gain access to the computer.

Since you have no protection installed you MUST consider the PC compromised. There is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.
Any banking,financial info,passwords etc,,, should be considered stolen and changed.

When Should I Format, How Should I Reinstall?

You have to decide whether you want to continue with the formattting or cleaning and we will do our best,but We at BC cannot honestly promise you the PC is trustworthy for such data again.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Aaron516

Aaron516
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 15 April 2008 - 07:54 PM

I would almost rather reformat. I dont have anything of dire importance. I dont do any banking online.. just paypal.. email.. chats and stuff like that. Should i just change my passwords or delete all accounts and start fresh?

Edit * Im not sure if my girlfriend still has the cd to reformat. Is there any way i can do it without it?

Edited by Aaron516, 15 April 2008 - 07:55 PM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,914 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:31 PM

Posted 15 April 2008 - 09:34 PM

I would think not. but post that as a new question in the XP forum up top. Explain that you have malware that the best course of action is a format and they will help you with what they can. If all is not well posthere again and well try cleaning .
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:31 PM

Posted 16 April 2008 - 08:59 AM

If your using an IBM, HP, Compaq or Dell machine, you may not have an original XP CD Disk.

By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific recovery disk or recovery partition for performing a clean factory restore.

A Recovery Disk is a CD-ROM or DVD data disc that contains a complete copy/image of the entire contents of the hard drive that will restore the system to its factory default state at a certain time. Essentially, it will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. You will lose all data and have to reinstall all programs that you added afterwards. This includes all security updates from Microsoft so you will need to download/install them again.

Some factory restore CDs give you all the options of a full Microsoft Windows CD, but with better instructions and the convenience of having all the right hardware drivers. Others can do nothing except reformat your hard drive and restore it to the condition it was in when you bought the computer. Before using a factory recovery disk make sure you back up all your data, photos, etc to another source such as a CD or external hard drive. If you do a Google Search, you will find links to topics on how to obtain a replacement recovery disk from various vendors.

A Recovery Partition is used by some OEM manufacturers (Dell, HP, IBM, Gateway) instead of a recovery disk to store a complete copy of the hard disk's factory default contents for easy restoration. This consists of a hidden bootable partition containing various system recovery tools, including full recovery of the preinstalled Windows XP partition that will allow you to restore the computer to the state it was in when you first purchased it. The recovery software will then re-hide its own partition after creating a new partition and installing the software to it. Before using a recovery partition make sure you back up all your data, photos, etc to another source such as a CD or external hard drive.

Recovery partitions may only work with a start-up floppy disk or the user may be prompted immediately after the "Out Of Box Experience" (OOBE) to create backup CD-R disks for the software on the hard drive image for future use. Once the CD's are made, the Operating System, Drivers, or Applications can be reinstalled using the files on the hard drive or the backup CDs.

Some built in recovery partitions can be accessed by hitting Ctrl+F11, just F11 or F10 during bios startup. Others like those used by IBM Thinkpads will display a message at bootup instructing you to press F11 to boot from the recovery partition. For more information, see Understanding Partition recovery.

Again, if you do a Google search on recovery partitions, you can find information specifically related to the manufacturer of your machine. If you need additional assistance, you can start a new topic in the Windows XP Home and Professional forum. Each manufacturer's instructions is somewhat different and members with the same type machine as yours could better help with step by step instructions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Aaron516

Aaron516
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 16 April 2008 - 06:48 PM

Malwarebytes' Anti-Malware 1.11
Database version: 636

Scan type: Quick Scan
Objects scanned: 29361
Time elapsed: 5 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


TY guys... i appreciate it

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:31 PM

Posted 17 April 2008 - 06:44 AM

How is you computer running now? Any more reports/signs of infection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Aaron516

Aaron516
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 18 April 2008 - 01:03 PM

nope once i reformatted it seemed fine. i changed my credit card numbers and all my passwords. I should be ok right?

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:31 PM

Posted 18 April 2008 - 10:42 PM

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"Best Practices - Internet Safety for 2008".
"Hardening Windows Security - Part 1 & Part 2".
"IE Recommended Minimal Security Settings".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users