Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am Im Really Safe?


  • Please log in to reply
9 replies to this topic

#1 coldwinterhotsummer

coldwinterhotsummer

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 27 July 2008 - 09:55 PM

I downloaded a file and when I opened it, my Norton showed a pop up and it said that it blocked a Trojan. The info reads: Title: Trojan.Brojack. The time was 7/27/08 10:24:28 PM. Status: Blocked. Recommend action: Resolved- no action. It said that it blocked it. When I try to look for the file again, it was gone. Am I really safe? Is the Trojan completely out of my computer?

I was wondering if I do a system restore before I dl the file, will it be like I never got the Trojan? I look at the system restore, the latest one is at 10:24:37PM Uninstall: Windows Defender Checkpoint. Did the Trojan do this? This is after the Norton blocked it. I dunno get why it was "uninstall". What about system recovery too?

Ty.

Edited by coldwinterhotsummer, 27 July 2008 - 09:57 PM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:15 AM

Posted 28 July 2008 - 05:32 AM

The nastiest malware erases all previous system restore points and creates a new one, the only ones I would even start to trust are those created before you executed the download

It looks like part of the nasty got by norton's, it doesn't surprise me at all

http://www.bleepingcomputer.com/forums/ind...st&p=876163

Let's use MBAM to check if it did
Chewy

No. Try not. Do... or do not. There is no try.

#3 coldwinterhotsummer

coldwinterhotsummer
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 28 July 2008 - 09:25 AM

Malwarebytes' Anti-Malware 1.23
Database version: 1000
Windows 6.0.6001 Service Pack 1

10:22:17 AM 7/28/2008
mbam-log-7-28-2008 (10-22-17).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 143054
Time elapsed: 26 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Web Technologies (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\NAME\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Users\NAME\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Users\NAME\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Users\NAME/My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Users\NAME\Favorites\Antivirus Scan.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Users\NAME\AppData\Local\Temp\lla2.exe (Trojan.Zlob) -> Quarantined and deleted successfully.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:15 AM

Posted 28 July 2008 - 09:54 AM

Rescan again with MBAM (Quick Scan) in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 coldwinterhotsummer

coldwinterhotsummer
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 28 July 2008 - 10:34 AM

Malwarebytes' Anti-Malware 1.23
Database version: 1000
Windows 6.0.6001 Service Pack 1

11:34:11 AM 7/28/2008
mbam-log-7-28-2008 (11-34-11).txt

Scan type: Quick Scan
Objects scanned: 31774
Time elapsed: 1 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:15 AM

Posted 28 July 2008 - 10:42 AM

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 coldwinterhotsummer

coldwinterhotsummer
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 28 July 2008 - 06:20 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/28/2008 at 07:13 PM

Application Version : 4.15.1000

Core Rules Database Version : 3519
Trace Rules Database Version: 1509

Scan type : Complete Scan
Total Scan Time : 06:27:00

Memory items scanned : 303
Memory threats detected : 0
Registry items scanned : 5316
Registry threats detected : 0
File items scanned : 116239
File threats detected : 5

Adware.Tracking Cookie
C:\Users\NAME\AppData\Roaming\Microsoft\Windows\Cookies\name@atwola[2].txt
C:\Users\NAME\AppData\Roaming\Microsoft\Windows\Cookies\name@revsci[2].txt
C:\Users\NAME\AppData\Roaming\Microsoft\Windows\Cookies\name@cdn.at.atwola[1].txt
C:\Users\NAME\AppData\Roaming\Microsoft\Windows\Cookies\name@at.atwola[1].txt
C:\Users\NAME\AppData\Roaming\Microsoft\Windows\Cookies\name@ar.atwola[1].txt

Edited by coldwinterhotsummer, 28 July 2008 - 06:33 PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:15 AM

Posted 29 July 2008 - 08:09 AM

Your SAS log looks good. It only found some cookies.

Cookies are text string messages given to a Web browser by a Web server. Whenever you visit a web page or navigate different pages with your browser, the web site generates a unique ID number which your browser stores in a text (cookie) file that is sent back to the server each time the browser requests a page from that server. Cookies allow third-party providers such as ad serving networks, spyware or adware providers to track personal information. The main purpose of cookies is to identify users and prepare customized Web pages for them.

The type of cookie that is a cause for some concern are "tracking cookies" because they can be considered a privacy risk. These types of cookies are used to track your Web browsing habits (your movement from site to site). Ad companies use them to record your activity on all sites where they have placed ads. They can keep count of how many times you visited a web page, store your username and password so you don't have to log in and retain your custom settings. When you visit one of these sites, a cookie is placed on your computer. Each time you visit another site that hosts one of their ads, that same cookie is read, and soon they have assembled a list of which of their sites you have visited and which of their ads that you have clicked on. They are used all over the Internet and advertisement companies often plant them whenever your browser loads one of their banners. Cookies are NOT a "threat". As text files they cannot be executed to cause any damage. Cookies do not cause any pop ups nor do they install malware.

As long as you surf the Internet, you are going to get cookies and some of your security programs will flag them for removal. However, you can minimize this by reading "Blocking & Managing Unwanted Cookies" and "Block Third-Party Cookies in IE7".

How is your computer running now? Any more reports/signs of infection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 coldwinterhotsummer

coldwinterhotsummer
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 29 July 2008 - 10:30 AM

It's running great, but I have some questions. MBAM says that it quarantined and deleted the infected files. What does this mean? Is it still on my computer? What happened if I uninstall MBAM? Will the virus come back?

Also does a system recovery back to the factory-state delete the virus? Or a system restore to previous date from I dl the infected file?

Edited by coldwinterhotsummer, 29 July 2008 - 10:31 AM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:15 AM

Posted 29 July 2008 - 11:10 AM

When an anti-virus or security program quarantines a file by moving it into a virus vault (chest), that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure. When the quarantined file is known to be bad, you can delete it at any time. I recommend you keep MBAM and use it as part of your anti-malware and security toolkit rather than remove it.

There are basically two types of system recovery back to the factory state:

A Recovery Disk is a CD-ROM or DVD data disc that contains a complete copy/image of the entire contents of the hard drive that will restore the system to its factory default state at a certain time. Essentially, it will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. You will lose all data and have to reinstall all programs that you added afterwards. This includes all security updates from Microsoft so you will need to download/install them again.

A Recovery Partition is used by some OEM manufacturers (Dell, HP, IBM, Gateway) instead of a recovery disk to store a complete copy of the hard disk's factory default contents for easy restoration. This consists of a hidden bootable partition containing various system recovery tools, including full recovery of the preinstalled Windows XP partition that will allow you to restore the computer to the state it was in when you first purchased it. The recovery software will then re-hide its own partition after creating a new partition and installing the software to it. You will lose all data and have to reinstall all programs that you added afterwards. This includes all security updates from Microsoft so you will need to download/install them again.

System Restore is a feature that allows you to restore your computer to a previous clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. It protects your computer by creating backups (snapshots saved as restore points) of vital system configurations and files. System Restore is enabled by default and contains configuration, settings and files that are necessary for your computer to run correctly. This includes:
  • registry configuration information for application, user, and operating system settings;
  • Windows File Protection files in the dllscache folder;
  • COM+ Database; Windows Management Instrumentation Database;
  • IIS Metabase configuration;
  • Files with extensions listed in the Monitored File Extensions list and Local Profiles.
By design System Restore runs in the background and will automatically create a new restore point every 24 hours (system checkpoints). Restore points can also be manually created by the user at any time. When the allotted disk space is reached, the oldest restore point will be purged on a first in first out (FIFO) basis. Otherwise, restore points over 90 days are purged automatically. Each one of these restore points are chained (or linked) together with previous restore points. When a restore point is chosen, all restore point created prior to that restore point are also required to complete the restoration. During the process, a log is created or updated that tracks the consistency between the files System Restore is monitoring, and the files that are actually backed up.

Keep in mind that System Restore will back up the good as well as the bad files so when malware is present on the system it gets included in any restore points. It may be hard to pinpoint the exact day of an infection as you could have had other malware on the system before all the symptoms began to appear. If you use System Restore you need to go back to the a point before the malware infected your system or you could get reinfected from a restore point that also backed up some bad files. If you go back too far it may undo some software installations and program updates that you have performed.

Edited by quietman7, 29 July 2008 - 11:14 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users