Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Was/am Infected


  • This topic is locked This topic is locked
19 replies to this topic

#1 funnytim

funnytim

  • Members
  • 624 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:22 AM

Posted 22 April 2008 - 08:56 PM

Hi,

After installing Norton Ghost yesterday, today, when i started up my computer, my TrendNet Pc-Cillin anti-virus program picked up a virus.

It also kept popping up a "dangerous website - close web browser and do not reopen" msg even tho i wasn't even browsing the internet.
I'm pretty sure that's a case of virus/spyware. And a dialog kept poping up...said my comp had a virus

It said it cleaned it...and I should reboot. I did, but i'm not sure if it's 100% removed (if it even is). I did a couple of scan...but I still want to be sure it's all cleaned up.

Thanks.

Edit: I think the virus is still there....the "dangerous website - close web browser and do not reopen" msg still kept reappearing, w/ sites im not on
And, the comp is really running a lot slower than before.
A "DrWatson Debugger failed...needs to close" error msg also appears...after the whole system freezes...a reboot is needed.

I'm on Win XP Pro.

Edited by funnytim, 23 April 2008 - 01:10 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:22 PM

Posted 23 April 2008 - 08:29 PM

Hello, I need to ask if you meant Trend Micro not Trend net. Have you tried scanning from safe mode with the anyivirus?

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 funnytim

funnytim
  • Topic Starter

  • Members
  • 624 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:22 AM

Posted 23 April 2008 - 09:11 PM

Yes, I meant Trend Micro PC-Cillin, Not trendnet (i got a new wireless router a while ago by trendnet...got them confused) sry!

Here is my log:

Malwarebytes' Anti-Malware 1.11
Database version: 676

Scan type: Quick Scan
Objects scanned: 38132
Time elapsed: 7 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 14
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\nnnnLcDW.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\rqRLfgHY.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{f50b3f5e-856e-4757-9bb1-b35d46ca7719} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f50b3f5e-856e-4757-9bb1-b35d46ca7719} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnnlcdw (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f50b3f5e-856e-4757-9bb1-b35d46ca7719} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bcab133f (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMbf9820a3 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\nnnnLcDW.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rqRLfgHY.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Timothy Leung\Local Settings\Temporary Internet Files\Content.IE5\WD8X18GS\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\amrnnhds.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ymngkqvr.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\svehost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Timothy Leung\Desktop\lsass.zip (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


(Ran in safe mode).
Thanks.


Also, after running the scan, the computer seems to be "half" in Safe mode. (I selected boot Windows normally after the scan). Only administrator accounts appear on the welcome screen, and the computer theme is the classic version (like the one in safe mode), not the XP blue style. It does not say the " Safe Mode" text anywhere.

I've tried doing another reboot, to no avail.

Thanks.

Edited by funnytim, 23 April 2008 - 09:18 PM.


#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:22 PM

Posted 23 April 2008 - 09:44 PM

Hello, I need to ask if you meant Trend Micro not Trend net. Have you tried scanning from safe mode with the anyivirus?


MBAM is mostly meant to run in normal mode when it's full strength

See if you can repeat the scan in normal mode if not then you'll need to use Superantispyware from safe mode
Chewy

No. Try not. Do... or do not. There is no try.

#5 funnytim

funnytim
  • Topic Starter

  • Members
  • 624 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:22 AM

Posted 23 April 2008 - 10:38 PM

I've tried running the scan in "normal mode".

After the scan, it asks me to reboot. I do so. Afterward, i run the scan again, but the same trojans keep showing up.


And as i said before, the comp seems to be "half in safe mode" (see post above).

Thanks.

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:22 PM

Posted 23 April 2008 - 10:50 PM

download SAS
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

update it, close the program, reboot into safe mode, run the program, let it fix/remove any malware

post the log into a reply
Chewy

No. Try not. Do... or do not. There is no try.

#7 funnytim

funnytim
  • Topic Starter

  • Members
  • 624 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:22 AM

Posted 23 April 2008 - 11:12 PM

I should also mention, my internet seems to be very slow right now. It's taking forever to download SAS.

As i mentioned above, I just got a new TrendNet TEW-852BPR wireless router. Could that be affected the internet speed, or could it be the virus?
My other computer's internet is also very slow.


(I'm currently downloading SAS...will run the scan and post back the log ASAP).

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:22 PM

Posted 23 April 2008 - 11:25 PM

It's best to tackle one problem at a time, it's always better to use wired connections for download, wireless works great some times and awful other tmes

It's a lot of trouble to try and fix a badly infected computer and often it's a good idea to disconnect it from the internet

You may be fixing one problem and then a hidden component is downloading and replacing or even upgrading malware you removed.
Chewy

No. Try not. Do... or do not. There is no try.

#9 funnytim

funnytim
  • Topic Starter

  • Members
  • 624 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:22 AM

Posted 23 April 2008 - 11:35 PM

I couldn't even download it....the download froze halfway. Tried again, same thing. I had to use my other computer to download it, then transfer it over.


Then, it can't install. Says "system administrator has set policies to prevent this installation". My account is an administrator account. I've also tried using the default admin account, but same msg appears.

so...i can't even install it.

#10 funnytim

funnytim
  • Topic Starter

  • Members
  • 624 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:22 AM

Posted 24 April 2008 - 12:18 AM

Oops, didnt see ur above reply.

I should've mentioned, I'm connected to my wireless router via Wired...so yea.


I've disconnected my infected comp from the internet now.


(pls see my above post)thxs



Edit: Not sure if it's just my bad internet right now, but I can't acess some websites like Facebook (I can through a proxy though...sometimes), even on my (hopefully)uninfected computer.

Edited by funnytim, 24 April 2008 - 02:02 AM.


#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:22 PM

Posted 24 April 2008 - 06:09 AM

It's pretty obvious the infection is getting worse, or you have added a new one to an older one, the vundo is obvious in the log and looks to be something fairly recent and particularly nasty

http://www.bleepingcomputer.com/forums/ind...10&hl=vundo

You could try this but I doubt it would work

The hijackthis forum is still backed up and very busy


Your infection really extends beyond the realm of the selfhelp tools
Chewy

No. Try not. Do... or do not. There is no try.

#12 funnytim

funnytim
  • Topic Starter

  • Members
  • 624 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:22 AM

Posted 24 April 2008 - 10:44 AM

O man....how did i get this infection?!!?

The day before, I used internet explorer instead of Opera, which is what i usually used. Wonder if that's the problem..


Thanks, I will try that link you gave me when i get home (am currently at school).

If it doesn't work, I'm guess I should post a hijackthis this log in the HiJackthis forum?

For security measures, i've also disconnected my computer from the internet.

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:22 PM

Posted 24 April 2008 - 11:01 AM

After installing Norton Ghost yesterday



O man....how did i get this infection?!!?


coincidence, depends upon where you got ghost?

one little trojan downloader can be 20 KB if I remember right, I did a test to see why my clients using limewire were all
hosing their computers a couple of years ago, I was going to reload the computer anyway, you've never seen a wookie pull a cat 5 cable so fast
Chewy

No. Try not. Do... or do not. There is no try.

#14 funnytim

funnytim
  • Topic Starter

  • Members
  • 624 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:22 AM

Posted 24 April 2008 - 12:01 PM

haha...you're right..

OK, i'll try the link you sent me when i get home, & i'll post any results i get.

but when i tried installing SAS yesterday , remember i got that error message ? that msg Might come up again if i i try installing those 2 you sent me..guess we'll see.

Thanks!

#15 funnytim

funnytim
  • Topic Starter

  • Members
  • 624 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:22 AM

Posted 24 April 2008 - 11:33 PM

OK, tried both tools, both found something apparantely, cleaned + restarted it, but MAM still finds the trojan.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users