Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avast Found Trojans,


  • Please log in to reply
14 replies to this topic

#1 equinecpa

equinecpa

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 12 May 2008 - 02:23 AM

Yesterday afternoon I was downloading a file when low and behold my AVAST sirens started going off like there was no tomorrow. Apparently I was being attacked by trojans -numerous trojans. As AVAST alerted me to each new threat, I tried to delete the file or move it to the quarantine chest but on some it was unable to move/delete them. Yikes says I. Finally the sirens stopped...but were the trojans gone?

I was worried at that point if AVAST had been able to quarantine or delete all the necessary files, so I downloaded superantispyware and ran it -it found 16 items (not all trojans but at least 2 or 3 were) and then asked me to reboot...nervously I did. And I had problems...computer would reboot after a couple of minutes, network connections were gone etc and my Boot.ini file had been corrupted...and an error message system has recovered from a serious error.

What to do now? I decided to do a boot scan with AVAST, figured out how to do that and ran it. 3 more trojans (or perhaps the same ones were found). I deleted them and proceeded. I got my computer booted up and the network connections were still MIA, and the computer still randomly rebooted after a couple of minutes.

Once it restarted I took a look at the processes and found most were disabled. I went into services.msc and reenabled most of them (comparing options to the computer I"m working on now). I then rebooted...processes came back but I still had the boot.ini error. I tackled the boot.ini next, going through an 8 step process posted somewhere, and got that fixed...whew, one less thing to worry about.

So that brings me to where I am now. My computer is still showing the "system has recovered from a serious error" message and rebooting. I tried a few suggestions for that including disabling autorestart, and adjusting virtual memory. I let the computer restart yet once more and then jumped on the interent to go to windowsecurity.com to try their trojan detector..but I got the blue screen of death once I tried to activate the program.

The blue screen: details:
A problem has been detected and windows has been shutdown to prevent damage to your computer.

If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps:

Run a system diagnostic utility supplied by your hardware manufacturer.
In particular, run a memory check, and check for faulty or mismatched memory. Try changing video adapters.

Disable or remove any newly installed hardware and drivers. Disable or remove any newly installed software. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup options, and then select Safe Mode.

Technical Information:
(and here I don't quite know the layout from my scribbles)

Stop: aswsp.sys F21D7c4E (and then some numbers in paranthesis-sorry I didn't get these)

Beginning dump of physical memory
Physical memory dump complete.
Contact your system administrator or technical support group for further assistanc

Further research tells me that aswsp.sys is an AVAST file. I read somewhere to delete AVAST as it might be corrupted and get a fresh install. But herein lies my fear:

I'm not sure that once I uninstall the AVAST software that I will be able to download the new avast or any other virus scanner for that matter. I fear I'll still have the reboot issue so I have no thrown my hands in the air and am saying "Help me please!"

There are quite a few files on the computer that I'd like to get backed up but my computer is not recognizing my external hard drive (this is not a new issue it happened from time to time before). What would be a recommended method to get some large files backed up before I lose my data? The computer is on a network, do you think copying files would be safe?

Thanks I'm at your mercy now...

Carolyn

BC AdBot (Login to Remove)

 


#2 equinecpa

equinecpa
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 12 May 2008 - 09:55 AM

I went ahead and took a deep breath and uninstalled AVAST. I was able to download and reinstall it. Now doing a deep boot virus scan...I think I'm almost recovered.

How can I be sure there is no residual malware files lurking other than performing more scans with different software? Is there anything to look for? I've run through all the processes to make sure nothing unknown appears. I still don't feel comfortable that my troubles are behind me.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:57 AM

Posted 12 May 2008 - 10:15 AM

aswsp.sys is related to avast! self protection module/ALWIL Software. I was going to recommend to reinstall it but you have already done that with success.

Have you performed any anti-spyware scans?
Have you tried doing your scans in "Safe Mode"? Are you doing scans while logged into the "Administrator Account" or an "account with administrator privileges"?

You need to start there first. If you don't have an anti-malware programs, see BC's list of Freeware Replacements For Common Commercial Apps. There are several free online anti-virus scans listed which you can perform. I would also recommend that you download and scan with SUPERAntiSpyware Free in "Safe Mode".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 equinecpa

equinecpa
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 12 May 2008 - 10:26 AM

Hmmm maybe not so successful...I did reinstall it and rebooted to do a boot virus scan (which takes a long long time). I just walked back in to see the same blue screen of death and the same error. This is troubling...

I do have Superantispyware installed. I'm afraid I'll probably have to uninstall AVAST to get the program to function properly and not give me the blue screen of death...update...I just uninstalled avast and am running superantispyware in safe mode. If that passes I will perform a couple of online anti-virus scans. I guess before I go surfing I'd like to get my computer protected -since it seems I'm having problems with AVAST can you recommend something else I can download and run?

To answer your questions:

I'm logged in as a user with admin privileges. Should I be logging in as administrator?

Edited by equinecpa, 12 May 2008 - 10:38 AM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:57 AM

Posted 12 May 2008 - 10:43 AM

You can try using Avira AntiVir Personal - Free Antivirus or AVG Anti-Virus Free Edition 8.0 instead of avast!

Either logging in as Administrator or using an account with admin privileges will work.

Edited by quietman7, 12 May 2008 - 10:43 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 equinecpa

equinecpa
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 12 May 2008 - 10:52 AM

Grr...SuperAntispyware has found 19 items and is still checking files....

Here is what is currently listed on the screen:

Item: Detected Items
Adware.Vundo Variant Resident 2
Trojan Unclassified -Packed/Suspicious 11
Adware Tracking Cookie 6
Rogue.malwarrior 1

So it would appear they are BACK! So what would be a good course of action to take. It'll be a while before the program finishes going through my files. I imagine I let it delete the files when done? Then reboot, rescan? Then download new Antivirus program, install and run?

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:57 AM

Posted 12 May 2008 - 11:01 AM

There are no shortcuts or guarantees when it comes to malware removal. Sometimes it takes several efforts with different tools to do the job. Even then, with some types of malware infections, the task can be arduous.

Let SAS remove whatever it finds. Since SAS is finding vundo and rogue files, you need to do the following when that scan is complete:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Acan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 equinecpa

equinecpa
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 12 May 2008 - 11:59 AM

OK I did as instructed, and yup it found more errors. Here is the log file.

Malwarebytes' Anti-Malware 1.12
Database version: 742

Scan type: Quick Scan
Objects scanned: 37979
Time elapsed: 8 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 25
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 6
Files Infected: 27

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\bapotkys.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\eiykgyqb.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\tuvWmKAp.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\yayxutsS.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f5404a84-0923-4a67-89c1-03e98ee90cd1} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f5404a84-0923-4a67-89c1-03e98ee90cd1} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\absolutetransfer.absolutetransfer (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\absolutetransfer.absolutetransfer.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8b8df25f-2c47-4473-8e1c-7f54ac7ef481} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{88ebbe0b-5ff8-4b84-b043-71a216374a5b} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{88ebbe0b-5ff8-4b84-b043-71a216374a5b} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayxutss (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchwbbar.settingsplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchwbbar.settingsplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchwbbar.toolbarplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchwbbar.toolbarplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c893f808 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{88ebbe0b-5ff8-4b84-b043-71a216374a5b} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\tuvwmkap -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\tuvwmkap -> Delete on reboot.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008 (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\BASE (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\DELETED (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\LOG (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\SAVED (Rogue.MalWarrior) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\bapotkys.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\syktopab.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eiykgyqb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bqygkyie.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuvWmKAp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\pAKmWvut.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pAKmWvut.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayxutsS.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ddcBSigf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ddcdDTMD.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ddcdEtQI.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJATkJA.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJBtQKE.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnMGabx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRKAPJb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUomnNg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyvuVmK.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\7CF28762C38CA0D4.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\AE8AB41F91F72503.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2WMU879G\sdferw[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carolyn\Local Settings\Temporary Internet Files\Content.IE5\CK13XED1\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\Malwarrior.exe (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\LOG\20080511140249015.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\BSZIP.DLL (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yzbgqap.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carolyn\g2mdlhlpx.exe (Trojan.Agent) -> Quarantined and deleted successfully.

So now what do I do? (while I'm waiting I'll download one of the virus programs you mentioned)
Thank you so much for your help

Carolyn

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:57 AM

Posted 12 May 2008 - 12:05 PM

Did you reboot the computer after using MBAM? If it encounters a file that is difficult to remove, you need to restart the computer so the malware can be fully removed. Failure to do so will prevent MBAM from removing all the malware. Your log indicates some files will be deleted on reboot. If you have not rebooted, make sure you do this. When done, rescan again with MBAM and post the new log report.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 equinecpa

equinecpa
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 12 May 2008 - 12:48 PM

I did reboot - I guess I posted the prereboot scan results.

Malwarebytes found more problems after another scan. Here are the results of that:

Malwarebytes' Anti-Malware 1.12
Database version: 742

Scan type: Quick Scan
Objects scanned: 37964
Time elapsed: 6 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:


(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tuvWmKAp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pAKmWvut.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pAKmWvut.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bapotkys.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayxutsS.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\7CF28762C38CA0D4.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\AE8AB41F91F72503.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yzbgqap.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

I'll start yet another scan and see if anything comes up...

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:57 AM

Posted 12 May 2008 - 12:56 PM

One or more of the identified infections was related to a rootkit componet. Rootkits are very dangerous because they use advanced techniques as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read "When should I re-format? How should I reinstall?", "Help: I Got Hacked. Now What Do I Do?" and "Reformatting the computer or troubleshooting; which is best?".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 equinecpa

equinecpa
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 12 May 2008 - 01:01 PM

Now isn't that good news? But I do appreciate your honesty. I'll read the links posted and then make a decision on whether I should reformat. One question on backing up my harddrive -how do I be sure I don't copy stuff over with it ( I have an older backup but there are some changes I don't have backed up yet that I'd like to bring over).

Here are the results of the last scan - I will change my online passwords from another computer ( I don't think I stored many but it certainly won't hurt to change them).


Malwarebytes' Anti-Malware 1.12
Database version: 742

Scan type: Quick Scan
Objects scanned: 37966
Time elapsed: 4 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\yzbgqap.sys (Backdoor.Rustock) -> Quarantined and deleted successfully.

This infection is still there - I just ran the software again and it was still infected in the same place. I'm not prepared to reformat and kill everything just today (but I do intend to follow through on your advice). I found thisBackdoor.Rustock-Symantec.com -do you think this will help buy me some time?

Edited by equinecpa, 12 May 2008 - 01:25 PM.


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:57 AM

Posted 12 May 2008 - 02:18 PM

There are several variants of Backdoor.Rustock so lets try another fix tool that recently was updated to detect this one.

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
-- Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.

When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet.

As for backups, you can back up all your important documents, data files and photos. You should not backup any .exe files because they may be infected. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 equinecpa

equinecpa
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 12 May 2008 - 02:47 PM

Here is the log from that:


SDFix: Version 1.182
Run by Carolyn on 05/12/08 at 02:14 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\IALMCOIN.DLL - Deleted
C:\-92982~1 - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 14:25:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :

#15 equinecpa

equinecpa
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 12 May 2008 - 03:01 PM

Just ran malwarebytes and nothing found! I feel we are on the right track to getting this system at least stable.

Big other problem: Downloads of virus softwares were corrupt so I'm currently not protected - I tried both AVIRA and AVG. I'm retrying AVIRA as I type as it is the smaller of the two to download. I could reinstall AVAST but don't want to run into those serious system errors again.

Thanks!

Carolyn




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users