Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stuck With A Ton Of Infections


  • Please log in to reply
12 replies to this topic

#1 lollysmiley

lollysmiley

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 17 August 2008 - 06:35 AM

Hi, im new to this place.

Recently my com detected traces of malware
there was this xop32.exe, navihelper.dll
there was A0047699.exe as well as another A0049362.exe respawned after AVG deleted the prev one

Wonder if i shld be putting up some Hijackthis log? i know that some others are doing that right? sorry for being blur.
erm. im really lost as to what to do. my com is lagging during startup ever since then.
i hope there are no backdoors bringing in more?

please help me solve my computer lag!
thanks

BC AdBot (Login to Remove)

 


#2 possumbarnes

possumbarnes

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:04:59 PM

Posted 17 August 2008 - 07:34 AM

If AVG found a few things, you probably have some more on there. If you don't have any other spyware scanners, download the following programs, run the updates, and run full scans:

Free version of SuperAntiSpyware
http://superantispyware.com/superantispywarefreevspro.html
Malwarebytes AntiMalware
http://www.download.com/Malwarebytes-Anti-...4-10804572.html
Spyware Terminator
http://www.spywareterminator.com/download/download.aspx
(With spyware terminator, during installation, be sure to uncheck the box for installing the Crawler Web Guard toolbar. It slows browsing down a lot. Also, don't install the ClamAV portion. It can cause a conflict with any other AV software you may have. And, lastly, once it is installed, be sure to go into settings and turn off Real Time protection. It just causes too many pop ups that you begin to ignore after a couple of days.)

These are just 3 free programs that I like to use. You can also download SpyBot: Search & Destroy and AdAware 2008 (and quite a few others). You can find them thru a Google search, but these 3 are really good ones and do a good job cleaning. Run a full scan with all 3 programs. If they tell you to reboot to finish cleaning, then reboot. Once all 3 have ran a full scan, run them all again. If anything shows up on the 2nd run, do them all a 3rd time. If anything is still showing up, come back and post what it is they are finding and cannot clean. There are some malware programs out there that have to be manually removed.

Good luck
What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?

#3 lollysmiley

lollysmiley
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 17 August 2008 - 08:22 AM

is it only for moderators or staff to offer support? i thought i read it somewhere.
but anyway. guess it wont hurt to have more of these spyware cleanups.

#4 possumbarnes

possumbarnes

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:04:59 PM

Posted 17 August 2008 - 09:06 AM

is it only for moderators or staff to offer support? i thought i read it somewhere.
but anyway. guess it wont hurt to have more of these spyware cleanups.

There are some threads that only moderators can post to, but most of the forums (including this one) are for anyone to help with. Moderators check in on threads and make sure no one is giving bad advice from time to time, along with posting help for people.
What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,058 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:59 PM

Posted 17 August 2008 - 07:28 PM

Hello are you running an XP machine?
Please run the Malwarebytes scan and post that log.'then run the SuperA scan and post that log also.
Run the SuperA from safe mode.

How to start Windows in Safe Mode
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 lollysmiley

lollysmiley
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 18 August 2008 - 07:56 AM

wow thanks for prompt responses
really appreciative of both of you here

im running on xp

i ran both in safe. just to be safe. haha.
basically i have malwarebytes detecting one infected file at C:\ibmugcd.bat while the other has nothing.

seems like the root aint found yet. cos it still feels sluggish at startup. i wonder if its pc clutter, but then seeing that this slowness is more of a sudden i think its the havoc of malware.

here goes logs

___________________________________________________________
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/18/2008 at 04:07 AM

Application Version : 4.15.1000

Core Rules Database Version : 3538
Trace Rules Database Version: 1527

Scan type : Complete Scan
Total Scan Time : 04:08:21

Memory items scanned : 169
Memory threats detected : 0
Registry items scanned : 5419
Registry threats detected : 0
File items scanned : 97648
File threats detected : 0
__________________________________________________________________
Malwarebytes' Anti-Malware 1.24
Database version: 1060
Windows 5.1.2600 Service Pack 2

06:22:28 18/08/2008
mbam-log-8-18-2008 (06-22-28).txt

Scan type: Full Scan (C:\|)
Objects scanned: 130852
Time elapsed: 2 hour(s), 41 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\ibmugcd.bat (Trojan.Agent) -> Quarantined and deleted successfully.

_____________________________________________________________________


right. any more steps for me to take.
i had even used the ATF-Cleaner before the two were used to clean up temp files. and yeah in safe mode.

greatly appreciate if anyone can cont to guide me.
thanks agn for help =)

Edited by lollysmiley, 18 August 2008 - 08:09 AM.


#7 lollysmiley

lollysmiley
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 18 August 2008 - 09:53 AM

oh btw. my internet explorer. the little icon before the adresses. usually it is specified by the website right?
like for our forums here it is this computer logo
however for iexplore the icon is a blue X for any page i surf to.
is this also a browser hijack?

EDIT:
AFter yest scan. i just checked my internet explorer7. seems ok somehow ever since that trojan.agent was removed. lol kinda weird.

EDIT2:
shld i put up a hijacklog for convenience?
i did a scan and there's this. entry in the log thats buggying me

Edited by lollysmiley, 18 August 2008 - 10:48 AM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,058 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:59 PM

Posted 18 August 2008 - 10:50 AM

Hello again. We do not allow HJT logs to be posted in this forum. we have a place for that and if needed we'll go there. :thumbsup:
Let's do 2 more things to be sure.
First open Malwarebytes again and check for an update. Then do another Quick scan from Normal mode. MBam is actually a stronger tool from that condition. Post another log.

Now run SDFix, a stronger tool so please follow the instructions carefully.

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

Edited by boopme, 18 August 2008 - 10:52 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 lollysmiley

lollysmiley
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 19 August 2008 - 06:46 AM

ahh. i did the diff way actl
i started off with sdfix in safe mode.

restarted com for final scans and thing. then removed internet and cont with scans using malwarebytes and even superantispyware.
here are the logs
seems quite clean to me

_________________________________________________

SDFix: Version 1.217
Run by Ranger on 19/08/2008 at 00:24

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :

C:\WINDOWS
:9CF0346D9E9D4C9D 24
Total size: 24 bytes.
WINDOWS: deleted 24 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS
No streams found.



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-19 00:36:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe:*:Enabled:IBM Update Connector"
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe:*:Enabled:IBM Update Connector"
"C:\\Program Files\\IBM\\Updater\\ucsmb.exe"="C:\\Program Files\\IBM\\Updater\\ucsmb.exe:*:Enabled:IBM Update Connector"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Dominic\\torrent\\utorrent.exe"="C:\\Dominic\\torrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe:*:Enabled:IBM Update Connector"
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe:*:Enabled:IBM Update Connector"
"C:\\Program Files\\IBM\\Updater\\ucsmb.exe"="C:\\Program Files\\IBM\\Updater\\ucsmb.exe:*:Enabled:IBM Update Connector"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :



Files with Hidden Attributes :

Mon 17 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 17 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2abaeb659824de5967ddf7181c6befdb\BITC.tmp"
Mon 17 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c23140ab2b4cffaee396a230df8b1229\BITE.tmp"
Mon 17 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d037d9bbbbdf880e477c3840b38c3180\BIT10.tmp"
Thu 29 May 2008 54,807,786 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ff1abc45bb4b51f55d5dd49be852a17a\BITC.tmp"

Finished!

____________________________________________________

Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2

06:11:58 19/08/2008
mbam-log-08-19-2008 (06-11-58).txt

Scan type: Full Scan (C:\|)
Objects scanned: 127048
Time elapsed: 2 hour(s), 56 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

_____________________________________________________


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/19/2008 at 02:55 AM

Application Version : 4.15.1000

Core Rules Database Version : 3538
Trace Rules Database Version: 1527

Scan type : Complete Scan
Total Scan Time : 02:13:19

Memory items scanned : 379
Memory threats detected : 0
Registry items scanned : 5414
Registry threats detected : 0
File items scanned : 96966
File threats detected : 0

__________________________________________________


clean means no probs? or very well hidden probs?
thanks for helping so much! appreciate it!

#10 flashystunnaboy

flashystunnaboy

  • Banned
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:59 PM

Posted 19 August 2008 - 08:20 AM

No. what you need to do is go to http://www.emsisoft.com/en/software/free/ and download the program called a squared, you can get the free version or a trial for the better version, once you have it downloaded, update it and reboot in safe mode and scan your computer and remove what it finds

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,058 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:59 PM

Posted 19 August 2008 - 11:19 AM

OK things look good here..

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 lollysmiley

lollysmiley
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 22 August 2008 - 07:34 AM

thanks. shld be ok now i sup huh

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,279 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:59 PM

Posted 22 August 2008 - 09:32 AM

You're welcome on behalf of the Bleeping Computer community.

For Tips to protect yourself against malware and reduce the potential for re-infection, be sure to read:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "Best Practices - Internet Safety for 2008".
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings" - "How to Secure Your Web Browser".

• Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users