Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Got Really Infected With Trojans And Other Stuff


  • Please log in to reply
8 replies to this topic

#1 brandonroy

brandonroy

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 14 July 2008 - 05:01 AM

I hate going through it all again, but I had some problems a few days ago. It was spyware making me think i had a virus. It was terrible. Registry editing, task manager and other stuff was "disabled by administrator" and I had "VIRUS ALERT!" almost everywhere I looked. IE kepy opening trying to take me somewhere. I trapped 6 trojans in AVG earlier today.

I've cleaned up almost everything (i think) one of the only problems I have left over that I know of is the "all programs" are missing from the start menu. HOW CAN I FIX THIS. I can't find the fix anywhere!

I've used spybot search and destroy to fix some things, however, i still have a couple problems after scanning with spybot search and destroy. Here is a screenshot.. I havent fixed these problems because I'm afraid it'll mess up my computer because they;re windows files. What should I do??

Posted Image

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:36 AM

Posted 14 July 2008 - 05:35 AM

Download and install MBAM and do scan, clean and post the log

Disable teatimer resident protection before doing the scan and clean

http://www.bleepingcomputer.com/forums/ind...st&p=876163
Chewy

No. Try not. Do... or do not. There is no try.

#3 brandonroy

brandonroy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 14 July 2008 - 07:41 AM

Well my "all programs" is back in start menu :]

During the scan with MBAM, AVG popped up with "threat detected!" almost after the scan was over with MBAM. I kept clicking "move to vault" as it popped up over again about 4 times.


Here's the log:

Malwarebytes' Anti-Malware 1.20
Database version: 948
Windows 5.1.2600 Service Pack 2

7:32:14 AM 7/14/2008
mbam-log-7-14-2008 (07-32-14).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 150585
Time elapsed: 50 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 3
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f8ac36d7-f602-4b69-99b5-2a812e05779f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f8ac36d7-f602-4b69-99b5-2a812e05779f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f8ac36d7-f602-4b69-99b5-2a812e05779f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\14825d26 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\fsrpknov (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (76477-OEM-0011903-00103) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINDOWS\eswa.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\model.dat (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\WINDOWS\gpefaowr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:36 AM

Posted 14 July 2008 - 12:48 PM

run a scan with avg from safe mode

http://www.malwareremoval.com/tutorials/safemodeboot.php

then reboot and disable AVG

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

and run another scan(quick not full) with MBAM

Too many cooks spoil the soup and end up fighting

Edited by DaChew, 14 July 2008 - 12:50 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#5 brandonroy

brandonroy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 14 July 2008 - 07:30 PM

run a scan with avg from safe mode

http://www.malwareremoval.com/tutorials/safemodeboot.php

then reboot and disable AVG

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

and run another scan(quick not full) with MBAM

Too many cooks spoil the soup and end up fighting


Followed the instructions but nothing was found with AVG or MBAM. Now what?

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:36 AM

Posted 14 July 2008 - 07:43 PM

How's your computer running now?

If it seems fine then

http://www.bleepingcomputer.com/forums/ind...mp;#entry844460
Chewy

No. Try not. Do... or do not. There is no try.

#7 brandonroy

brandonroy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 14 July 2008 - 09:01 PM

How's your computer running now?

If it seems fine then

http://www.bleepingcomputer.com/forums/ind...mp;#entry844460



I guess it seems ok. However, when I restarted and ran MBAM, it caught the hijack.startmenu thing and fixed it again. I just *feel* like this stuff will come back or just like it's not entirely fixed. Also, what do I do with all these trojans in my AVG virus vault? I got 17 trojans in there. trojan horse generics and other stuff.

Thanks for the help :thumbsup:

Edited by brandonroy, 14 July 2008 - 09:06 PM.


#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:36 AM

Posted 14 July 2008 - 10:21 PM

Clear the vault, the only reason for keeping something is if it's a false positive, you can reinstall the file or setting.

I would flush my restore points as a lot of malware uses system restore to back itself up

Keep a close eye on the computer and run regular scans, and try not to get infected again.
Chewy

No. Try not. Do... or do not. There is no try.

#9 brandonroy

brandonroy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 15 July 2008 - 06:59 AM

Clear the vault, the only reason for keeping something is if it's a false positive, you can reinstall the file or setting.

I would flush my restore points as a lot of malware uses system restore to back itself up

Keep a close eye on the computer and run regular scans, and try not to get infected again.



Bleh AVG detected another threat. I think it's copies of some of the same ones in my virus vault. (i still havent emptied it yet) I now have 18 trojans in the virus vault. And the threat popped up without even being connected to the internet. Most of them aer trojan horse generic 10.BCCN and different numbers like that. and mostly in my system32 windows folder. I still don't know if I should delete these from the vault. I think they'll pop right back up. I keep running scans but nothing is being found. I bet if I restart, something will be found again though. I cleared all my restore points.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users