Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remove Trojans But Still Having Issues


  • Please log in to reply
16 replies to this topic

#1 E-Mu

E-Mu

    Bleepin' Psychopomp


  • Members
  • 1,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:48 PM

Posted 21 May 2008 - 12:02 PM

Ok im having a problem,

Ive been downloading a couple of programs (will not go into details here) and i have picked up a few "free riders".
Last night i switch on my PC and it started going nuts with pop-ups and SpyBot was going mental with notifications, i turned it straight back off, booted into safemode and run Spybot and Windows Defender separetly to clean my system.

Windows Defender found 3Trojans, which where:

--- Trojan:win32/agent (x2)
--- Backdoor:win32/Rbot



I removed these and also searched for the infected files to make sure they where gone, then i deleted the items from quaretine.

Logging back into windows normally Spybot started with all the notification pop-ups again, no IE webpages this time tho.

The notifications are the same two over and over again and i cannot get these to stop:

They are Posted Image


I have no idea if im still infected and if i arnt, how do i get rid of these notifications

PC Specs

Windows Vista Home Premium 32-bit
Dual Core CPU 1.8Ghz
Foxconn CMX45 Motherboard
1Gb DDRII Ram


PS - before anyone says anything i know its my own fault i have been infected and lessons will be learnt eventually :thumbsup:

Many Thanks!

Edited by Emu1616, 21 May 2008 - 12:15 PM.

~ E-Mu ~

"Emu, You Moo, We All Moo for Emu!" <-- Thanks to Animal

"If at first you don't succeed; call it version 1.0"


BC AdBot (Login to Remove)

 


m

#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:48 AM

Posted 21 May 2008 - 12:21 PM

http://www.bleepingcomputer.com/forums/ind...mp;#entry811062

good thing you are running vista, hopefully you didn't tweak all the security safeguards out of it


I need to talk later about better security programs
Chewy

No. Try not. Do... or do not. There is no try.

#3 E-Mu

E-Mu

    Bleepin' Psychopomp

  • Topic Starter

  • Members
  • 1,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:48 PM

Posted 21 May 2008 - 12:41 PM

Thanks Chewy,

I will download and run this when i get home tonight and post up ASAP.

Ive heard of programs that act like a virtual box, allowing you to install software and make changes etc but only does it virtually, basically allowing you to test software and changes. and when you exit the changes are not implemented on the PC. Are these of any use and what are the names if anyone knows?
~ E-Mu ~

"Emu, You Moo, We All Moo for Emu!" <-- Thanks to Animal

"If at first you don't succeed; call it version 1.0"


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,607 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:48 AM

Posted 21 May 2008 - 02:39 PM

IMPORTANT NOTE: One of the identified infections (Backdoor:win32/Rbot) is a backdoor Trojan. Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge. Read the Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the backdoor Trojan was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read "When should I re-format? How should I reinstall?" and "Help: I Got Hacked. Now What Do I Do?".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 E-Mu

E-Mu

    Bleepin' Psychopomp

  • Topic Starter

  • Members
  • 1,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:48 PM

Posted 21 May 2008 - 04:39 PM

Malwarebytes' Anti-Malware 1.12
Database version: 775

Scan type: Quick Scan
Objects scanned: 37119
Time elapsed: 3 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 4
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Users\Steve\AppData\Local\Temp\wvUmjIXQ.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Users\Steve\AppData\Local\Temp\knsmdysw.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\203dda04 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM230ee998 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Steve\AppData\Local\Temp\urQkIBrp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Steve\AppData\Local\Temp\wvUmjIXQ.dll (Trojan.Vundo) -> Delete on reboot.
C:\Users\Steve\AppData\Local\Temp\knsmdysw.dll (Trojan.Vundo) -> Delete on reboot.
C:\Users\Steve\AppData\Local\Temp\tmp0001f298 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Steve\AppData\Local\Temp\rxloalca.dll (Trojan.Vundo) -> Delete on reboot.
C:\Users\Steve\AppData\Local\Temp\cryrnjdb.dll (Trojan.Agent) -> Quarantined and deleted successfully.



I was a little shocked that the scan run in under 4minutes but maybe this is suppose to happen.

Rebooted as requested but im still getting the damn notification pop-ups.

What next?

I was hoping to not have to reinstal mainly due to the inconvienience and the fact that i have evything customised and it would take ages to set up again + doing a fresh back up of all my data will be a pain, hopefully this can be avoided but if i must then we will come to that in time

Cheers!
~ E-Mu ~

"Emu, You Moo, We All Moo for Emu!" <-- Thanks to Animal

"If at first you don't succeed; call it version 1.0"


#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:48 AM

Posted 21 May 2008 - 05:00 PM

http://www.bleepingcomputer.com/forums/ind...st&p=830458

pay special attention to any vista instructions

vista is supposed to be easier to clean than XP


don't ever name any kids juan
Chewy

No. Try not. Do... or do not. There is no try.

#7 E-Mu

E-Mu

    Bleepin' Psychopomp

  • Topic Starter

  • Members
  • 1,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:48 PM

Posted 21 May 2008 - 06:36 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/22/2008 at 00:22 AM

Application Version : 4.1.1046

Core Rules Database Version : 3465
Trace Rules Database Version: 1456

Scan type : Complete Scan
Total Scan Time : 00:30:21

Memory items scanned : 464
Memory threats detected : 0
Registry items scanned : 5953
Registry threats detected : 2
File items scanned : 15319
File threats detected : 0

Adware.Vundo Variant/Rel
HKU\S-1-5-21-3587073503-3381551757-3310272493-1002\Software\Microsoft\Windows\CurrentVersion\Run#MSServer [ rundll32.exe C:\Users\Steve\AppData\Local\Temp\xxYsSljG.dll,#1 ]
HKU\S-1-5-21-3587073503-3381551757-3310272493-1002\Software\Microsoft\Windows\CurrentVersion\Run#cmds [ rundll32.exe C:\Users\Steve\AppData\Local\Temp\wvUmjIXQ.dll,c ]



Ok heres the new log from the 2nd scanner, removed a couple of things, have not had the notification pop-ups after the restart......would we say that this is enough now or do i need to do more?

Also what programs would you recommend to run as antivirus & antispyware?

Im off for tonight now, will try and look for a reply before work tomorrow but if not i'll be back on tomorrow night if i need to do more

Thanks!
~ E-Mu ~

"Emu, You Moo, We All Moo for Emu!" <-- Thanks to Animal

"If at first you don't succeed; call it version 1.0"


#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:48 AM

Posted 21 May 2008 - 07:21 PM

repeat MBAM, if juan is back you let the rootkit into the kernel
Chewy

No. Try not. Do... or do not. There is no try.

#9 E-Mu

E-Mu

    Bleepin' Psychopomp

  • Topic Starter

  • Members
  • 1,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:48 PM

Posted 23 May 2008 - 04:35 AM

Malwarebytes' Anti-Malware 1.12
Database version: 775

Scan type: Quick Scan
Objects scanned: 36482
Time elapsed: 2 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\203dda04 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM230ee998 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Scanned with MBAM again and this is what i got - Juan is gone but ive still got these other four, clicked remove selected and rescanned immediatly, 2scan picked up the same for issues

What can i do here?
~ E-Mu ~

"Emu, You Moo, We All Moo for Emu!" <-- Thanks to Animal

"If at first you don't succeed; call it version 1.0"


#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:48 AM

Posted 23 May 2008 - 05:09 AM

run the atf cleaner and vundofix

there's a new version for juan

http://www.bleepingcomputer.com/forums/ind...st&p=830380

with vista right click run as administrator

reboot into normal mode

unload teatimer and defender

run MBAM again

Edited by DaChew, 23 May 2008 - 05:23 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:48 AM

Posted 23 May 2008 - 05:11 AM

I like winpatrol instead of teatimer

and Avira personal free edition
Chewy

No. Try not. Do... or do not. There is no try.

#12 E-Mu

E-Mu

    Bleepin' Psychopomp

  • Topic Starter

  • Members
  • 1,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:48 PM

Posted 24 May 2008 - 08:03 AM

Good News - I Hope

Results from VundoFix


VundoFix V7.0.5

Scan started at 12:25:07 24/05/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

Beginning removal...

VundoFix V7.0.5

Scan started at 12:40:05 24/05/2008

Listing files found while scanning....

No infected files were found.


VundoFix V7.0.5

Scan started at 13:47:21 24/05/2008

Listing files found while scanning....

No infected files were found.


and results from MBAM

Malwarebytes' Anti-Malware 1.12
Database version: 775

Scan type: Quick Scan
Objects scanned: 36470
Time elapsed: 1 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Will install Winpatrol and Avira later

hopefully this is the end of my troubles - thanks DaChew!
~ E-Mu ~

"Emu, You Moo, We All Moo for Emu!" <-- Thanks to Animal

"If at first you don't succeed; call it version 1.0"


#13 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 24 May 2008 - 08:33 AM

@emu1616; did you take note of and did you understand the significance OF what Global Mod Quietman 7 said in post 4 on this thread?

#14 E-Mu

E-Mu

    Bleepin' Psychopomp

  • Topic Starter

  • Members
  • 1,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:48 PM

Posted 24 May 2008 - 12:29 PM

Yeh i understood what was said about my PC not being totally safe but at the moment its not feesable to do a clean install.

I have no bank details or personal information or client information is saved on my infected computer or any other on my network, its something i never do, and any passwords that are saved are just for forums and emails accounts, also no personal details are in my emails etc.

Until such a time until i can do a clean install i want to remove what i can for the time being.
~ E-Mu ~

"Emu, You Moo, We All Moo for Emu!" <-- Thanks to Animal

"If at first you don't succeed; call it version 1.0"


#15 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 24 May 2008 - 01:30 PM

Yeh i understood what was said about my PC not being totally safe but at the moment its not feesable to do a clean install.

I have no bank details or personal information or client information is saved on my infected computer or any other on my network, its something i never do, and any passwords that are saved are just for forums and emails accounts, also no personal details are in my emails etc.

Until such a time until i can do a clean install i want to remove what i can for the time being.

this would though still mean someone could change THOSE passwords etc and thus grab your emails :thumbsup: just so you are aware of your possible predicament .............




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users