Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Slow After Virus


  • Please log in to reply
20 replies to this topic

#1 tomh1991

tomh1991

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, United Kingdom
  • Local time:11:25 AM

Posted 22 April 2008 - 05:41 AM

Hi Guys,

I was happily browsing the web the other day when I was attacked by a virus. The consequence of this was annoying pop-ups advertising anti-virus software, and my computer running very slowly.

I had a similar virus a few months ago. ‘Security Toolbar 7.1’ installed itself onto my web browser and my home page was hijacked. So, I ran the anti-virus software I currently have. This is AntiVir and Ad-Aware 2007. It picked up the Trojan horse and I removed it. And after doing some research, I installed SmitFraudFix to remove the toolbar and the annoying flashing icon in the system tray. It worked a treat and I was back up and running.

So on discovering this latest virus, I ran the same steps as I did last time to try and remove it, even though this was not the same virus. I ran both AntiVir and Ad-Aware, and they both picked up several Trojan Horses. I removed these, and re-scanned my system to see if any more was picked up. All was clear! An non-legitimate anti-virus software did manage to install itself onto my computer, but I did manage to remove it manually.

I then ran SmitFraudFix to remove any odd files that were lurking in my system.

This seemed to solve the problem...sort of! There were no more pop-ups advertising anti-virus software, however my computer was running incredibly slow, and web-pages were taking forever to load, if they loaded at all. My desktop was is also taking longer than usual to load when logged on. Also, when I am disconncted from the internet, I get a message asking me to connect or to work offline. This has never happened before, and I suspect there may be something on my computer which wants me to connect to the internet. I now also get random windows openinghich display nothing when I am browsing, such as "HTTP 404 not found".

I did a bit more research, and installed SDFix. However, when I click ‘y’ to start the programme, I get a message saying “The system cannot find the path specified”. This message is repeated several times before the programme closes. I am clueless as to what this means. Also, on alternative occasions, I get a message saying “Bad command or file name”. I have re-installed the programme but these messages still persist.

Does anyone have any advice on how I can get my computer up and running again? It seems I have removed the Trojan Horse itself, however there is something still in my system which is nasty! Any help will be much appreciated.

Also I may not be able to check back to your feedback regularly, but will do when I can.

Thanks!

Here are my log file from SmitFraudFix. It is in two parts. The first section is after it has searched the files, the second once it has cleaned them.

SmitFraudFix v2.246

Scan done at 20:31:31.02, 21/04/2008
Run from C:\Documents and Settings\d\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\d


C:\Documents and Settings\d\Application Data


Start Menu


C:\DOCUME~1\d\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4D4921F5-7EA4-4219-9454-E8CDD0722017}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4D4921F5-7EA4-4219-9454-E8CDD0722017}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4D4921F5-7EA4-4219-9454-E8CDD0722017}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


Scanning for wininet.dll infection


End

SmitFraudFix v2.246

Scan done at 20:35:21.33, 21/04/2008
Run from C:\Documents and Settings\d\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost
127.0.0.1 208.67.70.3
127.0.0.1 38.99.150.167
127.0.0.1 38.99.150.205
127.0.0.1 88.255.90.60
127.0.0.1 opal.spod.org
127.0.0.1 sendspace.com
127.0.0.1 ad1.ny.yieldmanager.com
127.0.0.1 ad2.ny.yieldmanager.com
127.0.0.1 ny.yieldmanager.com
127.0.0.1 yieldmanager.com
127.0.0.1 193.165.167.2
127.0.0.1 152.66.249.135

Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4D4921F5-7EA4-4219-9454-E8CDD0722017}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4D4921F5-7EA4-4219-9454-E8CDD0722017}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4D4921F5-7EA4-4219-9454-E8CDD0722017}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

Again, any help will be much appreciated. Thanks for your time.

Edited by rigel, 22 April 2008 - 07:00 AM.
Mod Edit ~ moved to a more appropriate forum


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:25 AM

Posted 22 April 2008 - 09:47 AM

Hello tomh1991

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Acan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 tomh1991

tomh1991
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, United Kingdom
  • Local time:11:25 AM

Posted 22 April 2008 - 12:07 PM

Thanks for the reply. will try this later

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:25 AM

Posted 22 April 2008 - 12:11 PM

Ok. Just post back with the scan results when done. Also let me know how the pc is running.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 tomh1991

tomh1991
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, United Kingdom
  • Local time:11:25 AM

Posted 22 April 2008 - 04:24 PM

Hi, thanks for the advice. pc is running much faster now, but wont be able to post the log until tomorrow as i am on my psp. However, i got this message on the web saying "If your computer is infected you could suffer data loss, erratic pc behaviour, pc freezes and crashes. Detect and remove these viruses before they activate themselves onto your pc to prevent these problems". I'm gussing this is fake. I also still got the odd blank window opening. Any ideas? As i said i will post the log tomorrow. Thanks

#6 tomh1991

tomh1991
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, United Kingdom
  • Local time:11:25 AM

Posted 23 April 2008 - 02:44 AM

Hello again.

Here is my MBAM log. It seemed to be of benefit anayway, even though it did not solve the problem I posted in my previous post. It found 70 infections which were all Trojan/Malware related. My computer seems to be running up to its usual speed. I can now complete a Google Images search in a short amount of time. However on one occasion, a Google Image search took a long time, and this was when I encountered the message I described in my previous post.

Malwarebytes' Anti-Malware 1.11
Database version: 670

Scan type: Quick Scan
Objects scanned: 33363
Time elapsed: 18 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 22
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 11
Files Infected: 35

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\SYSTEM32\ssqrqnmn.dll (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\SYSTEM32\jkkkigde.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{fb422e7b-3d5e-4d9b-84c2-91b6c888cde2} (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fb422e7b-3d5e-4d9b-84c2-91b6c888cde2} (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqrqnmn (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{08151fd4-6e2f-4330-9c56-7bcc3f4d0004} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{08151fd4-6e2f-4330-9c56-7bcc3f4d0004} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{3cab59b4-55a3-4737-9fd5-b93c6430bf75} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3cab59b4-55a3-4737-9fd5-b93c6430bf75} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a3212d89-5fa8-4a5e-82d6-79338f4fa023} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a3212d89-5fa8-4a5e-82d6-79338f4fa023} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Purchased Products (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\TrustedProtection (Rogue.TrustedProtection) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{fb422e7b-3d5e-4d9b-84c2-91b6c888cde2} (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Salestart (Trojan.DownLoader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMd5b8e5a8 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\jkkkigde -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\jkkkigde -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\ntos.exe -> Delete on reboot.

Folders Infected:
C:\WINDOWS\System32\wsnpoem (Trojan.Agent) -> Delete on reboot.
C:\Program Files\VirusHeal 4.1 (Rogue.VirusHeal) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\WinPCDoctor (Rogue.WinPCDoctor) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\xcsDd01 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\d\Local Settings\Temp\NI.UGA6P_0001_N122M2210 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMonitor (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMonitor\Data (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\d\Application Data\winpcdoctor (Rogue.WinPCDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\d\Application Data\winpcdoctor\Logs (Rogue.WinPCDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\SYSTEM32\ssqrqnmn.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\jkkkigde.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\edgikkkj.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\edgikkkj.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tyuxsdwa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\awdsxuyt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sdhjfiku.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ukifjhds.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\WinPCDoctor\strpmon.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\cvioctlw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\efcbxwvt.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\hgggheeb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\kssdwegx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\fnittwqf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\d\Local Settings\Temporary Internet Files\Content.IE5\Q3OF8VMF\glas[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\d\Application Data\install_en[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\wsnpoem\audio.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\System32\wsnpoem\video.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\VirusHeal 4.1\VirusHeal 4.1.exe (Rogue.VirusHeal) -> Quarantined and deleted successfully.
C:\Program Files\VirusHeal 4.1\vh.ini (Rogue.VirusHeal) -> Quarantined and deleted successfully.
C:\Program Files\VirusHeal 4.1\ignored.lst (Rogue.VirusHeal) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\xcsDd01\xcsDd011065.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\d\Local Settings\Temp\NI.UGA6P_0001_N122M2210\settings.ini (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\d\Local Settings\Temp\NI.UGA6P_0001_N122M2210\setup.len (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\d\Local Settings\Temp\NI.UGA6P_0001_N122M2210\setup.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\d\Application Data\winpcdoctor\Logs\update.log (Rogue.WinPCDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\d\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rbdanoml.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rwwnw64d.exe (Adware.Zenosearch) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\msnav32.ax (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\ntos.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\d\Start Menu\Programs\Startup\DW_Start.lnk (Trojan.Agent) -> Quarantined and deleted successfully.

Anything out of the ordinary here?

Thanks

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:25 AM

Posted 23 April 2008 - 07:30 AM

Did you reboot the computer after using MBAM? If it encounters a file that is difficult to remove, you need to restart the computer so the malware can be fully removed. Failure to do so will prevent MBAM from removing all the malware. Your log indicates some files will be deleted on reboot. If you have not rebooted, make sure you do this.

Anything out of the ordinary here?

Your system was heavily infected. One or more of the identified infections was a backdoor Trojan. Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge. Read the Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the backdoor Trojan was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read "When should I re-format? How should I reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let me know how you wish to proceed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 tomh1991

tomh1991
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, United Kingdom
  • Local time:11:25 AM

Posted 23 April 2008 - 09:14 AM

hi, thanks for the reply. I do no online banking or anything financial wise. Passwords only cover email and forums. As I am not really a computer expert, I am not sure which decision would be best. I will go with what you recommend. I don't want it to be difficult, although i'm not sure if I have a choice in that.
Also, I did reboot my pc after, but there was no ending message from the programme. Should there have been? Also, should my computer be fine to use offline now?

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:25 AM

Posted 23 April 2008 - 09:21 AM

Your decision as to what action to take should be made by asking yourself the questions presented in the "When should I re-format?" link. Wiping your drive, reformatting, and performing a clean install of the OS removes everything and is the safest action but I cannot make that decision for you.

If you wish to continue, please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
-- Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.

When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 tomh1991

tomh1991
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, United Kingdom
  • Local time:11:25 AM

Posted 23 April 2008 - 09:29 AM

I am just running another MBAM scan as we speak. It has already found 17 infections in 7 minutes. If I am required to reboot, should there be a completion message when I start up again?

#11 tomh1991

tomh1991
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, United Kingdom
  • Local time:11:25 AM

Posted 23 April 2008 - 01:28 PM

Ok, I think I may have fixed my pc. I realised that because I was running the scans in safe mode, it may not have been picking up all the infections. So I scanned my system in normal mode. I deleted the other infections it found. I then scanned it again to make sure there were no more infections detected. I then ran antivir and ad-aware to make sure there were no more infections picked up on there. I restarted my computer. I notice the 'work offline' box didn't apper. My pc seemed to be running quite.....

#12 tomh1991

tomh1991
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, United Kingdom
  • Local time:11:25 AM

Posted 23 April 2008 - 01:34 PM

...smoothly. I browsed the internet for about 10 minutes. It was running quite quick. No other windows opened and I didn't have the AntiSpywareSuite box come up. So all now seems to be ok. I will post up my latest log tomorrow just to get the all clear from you.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:25 AM

Posted 23 April 2008 - 01:46 PM

Ok, lets hope it stays that way. Then I will instruct you on how to set a new restore point and purge the old ones to prevent accidental re-infection in case any malware was backup up.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 tomh1991

tomh1991
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, United Kingdom
  • Local time:11:25 AM

Posted 25 April 2008 - 05:20 AM

Hi. Sorry about the late reply, I have been a bit busy of late. Here is my log file of when I ran my MBAM scan the other day.

Malwarebytes' Anti-Malware 1.11
Database version: 670

Scan type: Quick Scan
Objects scanned: 33874
Time elapsed: 23 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:25 AM

Posted 25 April 2008 - 07:43 AM

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"Best Practices - Internet Safety for 2008".
"Hardening Windows Security - Part 1 & Part 2".
"IE Recommended Minimal Security Settings".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users