Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help With Trojan Invasions


  • Please log in to reply
9 replies to this topic

#1 CCRN396

CCRN396

  • Members
  • 505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:05 PM

Posted 21 July 2008 - 09:09 PM

My computer was infected with antivirus xp 2008, which I now believe I have gotten rid of (Hopefully all of it). I was still having some problems such as trying to go to a website and being jumped to another unrelated site. I have performed a variety of spyware scans including SuperAntispyware, Spybot, Malwarebyte's Anti-malware, as well as Windows live system scan which revealed the following trojans: Trojan:win32/Busky.EC , Trojan:Win32/Tibs.J , Trojan:Win32/Vundo.gen!H , and Trojan:win32/Vundo.gen!R I then ran symantec's fix vundo which states that it removed 1 virus. I have Trend Micro Internet Security on my computer but am worried that it has also been affected because It keeps saying that my "unauthorized change Prevention Service has been shut down" I have limited experience with computers so I am in desperate need of help with these problems!!!

CCRN396

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,756 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:05 PM

Posted 22 July 2008 - 07:14 AM

Download and scan with Dr.Web CureIt. Follow the instructions here for performing a scan in "safe mode".
-- Post the log in your next reply and let me know how your computer is running.

Also post the last scan results from MBAM.
Launch MBAM.
Click the Logs Tab at the top.
mbam-log-7-18-2008(09-52-04).txt should show in the list. <- your dates will be different from this exampe
Click on the log name to highlight it.
Go to the bottom and click on Open.
The log should automatically open in notepad as a text file.
Go to Edit and choose Select all.
Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
Come back to this thread, click Add Reply, then right-click and choose Paste.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 CCRN396

CCRN396
  • Topic Starter

  • Members
  • 505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:05 PM

Posted 23 July 2008 - 08:28 AM

Thank You quietman7 for your help! So far I have not encountered any more problems with my computer since running Dr.Web CureIt. Here are the results of the log:

css4[1];C:\Documents and Settings\Heidi\Local Settings\Temporary Internet Files\Content.IE5\X4FUBN10;Trojan.Virtumod.based.21;Deleted.;

Here is the results of the last MBAM Scan:

Malwarebytes' Anti-Malware 1.21
Database version: 966
Windows 5.1.2600 Service Pack 2

11:03:10 PM 7/20/2008
mbam-log-7-20-2008 (23-03-09).txt

Scan type: Quick Scan
Objects scanned: 1
Time elapsed: 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Here is the MBAM Scan prior to the above one:

Malwarebytes' Anti-Malware 1.21
Database version: 966
Windows 5.1.2600 Service Pack 2

7:27:12 PM 7/19/2008
mbam-log-7-19-2008 (19-27-12).txt

Scan type: Quick Scan
Objects scanned: 54645
Time elapsed: 14 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcjrtj0el9n (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcjrtj0el9n (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcnrtj0el9n.exe (Trojan.FakeAlert) -> Delete on reboot.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,756 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:05 PM

Posted 23 July 2008 - 09:41 AM

That's good news.

However, your MBAM log indicates you are using an older version of MBAM with an outdated database. Please download the most current version of MBAM from here, remove the old and then install the new one. If you encounter any problems while downloading the updates, manually download the updates and just double-click on mbam-rules.exe to install.

After performing a new scan, don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 CCRN396

CCRN396
  • Topic Starter

  • Members
  • 505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:05 PM

Posted 23 July 2008 - 11:20 AM

Should I perfrom the scan in normal mode or in safe mode?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,756 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:05 PM

Posted 23 July 2008 - 11:48 AM

Normal mode please.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 CCRN396

CCRN396
  • Topic Starter

  • Members
  • 505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:05 PM

Posted 23 July 2008 - 05:22 PM

Thanks again!! That was a good call..

Malwarebytes' Anti-Malware 1.22
Database version: 984
Windows 5.1.2600 Service Pack 2

6:03:26 PM 7/23/2008
mbam-log-7-23-2008 (18-03-26).txt

Scan type: Full Scan (C:\|)
Objects scanned: 140305
Time elapsed: 1 hour(s), 49 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 CCRN396

CCRN396
  • Topic Starter

  • Members
  • 505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:05 PM

Posted 23 July 2008 - 10:21 PM

All was fine until this eve when I couldn't install my windows update and then I was prevented from accessing certain sites such as this one and then lost my internet access completely. I performed a system scan using my antivirus program Trend internet security which I believe removed a bunch of spyware. I rebboted only to find that my antivirus program was claiming that my firewall was disabled. Just when I thought I was getting somewhere?!!

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,756 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:05 PM

Posted 24 July 2008 - 08:03 AM

I rebboted only to find that my antivirus program was claiming that my firewall was disabled

What firewall are you using? Did you confirm if the firewall was actually disabled?

How was your Internet access after performing the scan and removing more spyware?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 CCRN396

CCRN396
  • Topic Starter

  • Members
  • 505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:05 PM

Posted 24 July 2008 - 11:47 AM

Okay,
I'm using Trend Micro Internet Security. I've recently made some changes to secure my computer and I'm not sure if I'm trying to do too much at once and changed something I shouldn't have? The only way I could access the internet was to shut off Trend's Firewall and to turn on Windows Firewall. I ran a diagnostics on my Internet connection (before shutting off Trend's firewall) and it stated to check my firewall settings & that windows can't connect to internet using HTTP,HTTPS, or FTP. It also told me to check my port settings.
My Trend Internet security Icon is what alerted me that my firewall was disabled. When I opened the main screen I believe it was alerting me that it was off, but when I went to the firewall settings, everything was as I had set (ON.).




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users