Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with unknown virus


  • This topic is locked This topic is locked
27 replies to this topic

#1 Davis Engeler

Davis Engeler

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 27 October 2008 - 07:19 PM

Hey. I was infected by something. I'm not sure how. I got a firewall warning about svchost.exe. I said to keep blocking but the Firewall had been turned off. When I turned it back on the computer rebooted so I unplugged it from the net. I ran a Malwarebytes scan and it picked up a few things. Once they were repaired I ran a HJT (posted below).

Right now, the only problems I'm having (while unplugged from the net) is something trying to look like a Windows warning coming from the system tray telling me I'm infected. It's telling me to click it to download "Antimalware" programs, but don't worry... I didn't. Thanks in advanced for help.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:31 PM, on 10/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Stonesoft\StoneGate VPN Client\gatekeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\brastk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intranet.ed.local/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ElliottDavis, LLC
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [brastk] brastk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YahooWidgetEngine.exe] "C:\Program Files\Transform XP to Vista\Yahoo! Widgets\Widgets\YahooWidgetEngine.exe"
O4 - HKCU\..\Run: [VistaStartMenu] "C:\Program Files\Transform XP to Vista\Vista Start Menu\VistaStartMenu.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102092125030
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182452037406
O16 - DPF: {89172179-D07F-455E-BBEB-C41D42AEC078} - file:///C:/Program%20Files/Softomate/ToolbarStudio/projects/daviscreation_webinstall/daviscreation.cab
O20 - AppInit_DLLs: karna.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StoneGate VPN Client (SGClient) - Stonesoft Corp. - C:\Program Files\Stonesoft\StoneGate VPN Client\gatekeeper.exe

--
End of file - 6357 bytes

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:11 PM

Posted 30 October 2008 - 06:06 PM

Hello Davis Engeler,

I ran a Malwarebytes


Please post the Malwarebytes log so I can see what it found.



Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

Edited by SifuMike, 30 October 2008 - 06:10 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Davis Engeler

Davis Engeler
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 30 October 2008 - 06:19 PM

Great. Where can I find the log for the Malwarebytes? I'll post again when I have the report from SDFix and the log from Malwarebytes.

Thanks,
Davis.

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:11 PM

Posted 30 October 2008 - 06:31 PM

Hi Davis,

Open Malwarebytes, click on the Logs tab and you will find it.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Davis Engeler

Davis Engeler
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 30 October 2008 - 07:26 PM

Alright. Here's the Malwarebytes log and the SDFix report.

One thing, the SDFix didn't make a folder on the desktop. It made one in C: instead. I thought I might tell you so other's might have an easier time.

Malwarebytes:

Malwarebytes' Anti-Malware 1.12
Database version: 783

Scan type: Full Scan (C:\|)
Objects scanned: 125773
Time elapsed: 1 hour(s), 40 minute(s), 38 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SVCHOST.EXE (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.


SDFix:


SDFix: Version 1.238
Run by dmengeler on Thu 10/30/2008 at 08:07 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\brastk.exe - Deleted
C:\WINDOWS\system32\brastk.exe - Deleted
C:\WINDOWS\SYSTEM32\TDSSOCUM.DLL - Deleted
C:\WINDOWS\SYSTEM32\DRIVERS\TDSSPCUU.SYS - Deleted
C:\WINDOWS\SYSTEM32\TDSSWGQT.DAT - Deleted
C:\WINDOWS\SYSTEM32\TDSSNMXH.LOG - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-30 20:18:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Stonesoft\\StoneGate VPN Client\\sgagent.exe"="C:\\Program Files\\Stonesoft\\StoneGate VPN Client\\sgagent.exe:*:Enabled:StoneGate VPN Agent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"="C:\\Program Files\\BitTorrent_DNA\\dna.exe:*:Enabled:BitTorrent DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"="C:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE:*:Enabled:Microsoft ® Visual Studio VSA RPC Event Creator"
"C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\system32\\ftp.exe:*:Enabled:File Transfer Program"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\\Program Files\\LeapFrog\\FlyWorld\\bin\\FLYWorld.exe"="C:\\Program Files\\LeapFrog\\FlyWorld\\bin\\FLYWorld.exe:*:Enabled:FLYWorld.exe"
"C:\\Program Files\\LeapFrog\\FlyWorld\\bin\\FLYMonitor.exe"="C:\\Program Files\\LeapFrog\\FlyWorld\\bin\\FLYMonitor.exe:*:Enabled:FLYMonitor.exe"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Net Tools\\nettools5.exe"="C:\\Program Files\\Net Tools\\nettools5.exe:*:Enabled:Net Tools by Mohammad Ahmadi Bidakhvidi"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 3.0"
"C:\\Documents and Settings\\dmengeler\\My Documents\\VPresent\\WinVNC2.exe"="C:\\Documents and Settings\\dmengeler\\My Documents\\VPresent\\WinVNC2.exe:*:Enabled:TightVNC Win32 Server"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\WINDOWS\\totacon.exe"="C:\\WINDOWS\\totacon.exe:*:Enabled:enable"
"C:\\WINDOWS\\herjek.exe"="C:\\WINDOWS\\herjek.exe:*:Enabled:enable"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\dmengeler\\temp\\TeamViewer3\\TeamViewer.exe"="C:\\Documents and Settings\\dmengeler\\temp\\TeamViewer3\\TeamViewer.exe:*:Enabled:TeamViewer Remote Control Application"
"C:\\Program Files\\TeamViewer3\\TeamViewer.exe"="C:\\Program Files\\TeamViewer3\\TeamViewer.exe:*:Enabled:TeamViewer Remote Control Application"
"C:\\WINDOWS\\system32\\drivers\\svchost.exe"="C:\\WINDOWS\\system32\\drivers\\svchost.exe:*:Disabled:svchost"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 14 Apr 2008 1,695,232 ...H. --- "C:\Program Files\Messenger\msmsgs.exe"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\SDHelper (Spybot - Search & Destroy)\SDHelper.dll"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\TeaTimer (Spybot - Search & Destroy)\TeaTimer.exe"
Wed 6 Jun 2007 1,808,553 A.SH. --- "C:\WINDOWS\system32\yyadd.bak1"
Sat 27 Oct 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 31 Aug 2007 1,409 ...H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\FOR2FFE.tmp"
Fri 31 Aug 2007 1,409 ...H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\FOR3001.tmp"
Fri 31 Aug 2007 64,116 ...H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\ZTR2FFD.tmp"
Fri 31 Aug 2007 19,248 ...H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\ZTR3000.tmp"
Thu 3 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\dmengeler\Application Data\U3\temp\Launchpad Removal.exe"

Finished!




Thanks again,
Davis.

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:11 PM

Posted 30 October 2008 - 09:48 PM

Hi Davis,

I am seeing some TDSS in the SDFix log. TDSSPCUU.SYS files are part of a nasty rootkit :thumbsup: and you should assume that your online passwords have been compromised.


Malwarebytes' Anti-Malware 1.12
Database version: 783


This is a very old version of Malwarebytes.
The latest version is Malwarebytes 1.30
Database version: 1340


Please update Malwarebytes to the latest version, run it again and post the log.

Then run Hijackthis and post a fresh Hijackhtis log. :)

Edited by SifuMike, 30 October 2008 - 10:09 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Davis Engeler

Davis Engeler
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 31 October 2008 - 03:42 PM

I've got a few questions before continuing.

you should assume that your online passwords have been compromised.

So does this mean that I need to change my passwords to everything? I haven't had anything happen with accounts.

Please update Malwarebytes to the latest version

Is it safe to connect to the internet long enough to update?


-Davis.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:11 PM

Posted 31 October 2008 - 05:37 PM

Hi davis,

Sorry to give you such bad news. :thumbsup:

So does this mean that I need to change my passwords to everything? I haven't had anything happen with accounts.


Yes.
Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure.

In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS.

Please read:
"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

Let me know how you wish to proceed.



Is it safe to connect to the internet long enough to update?



Yes, after you change your passwords. Just because you have not seen passwords violated does not mean they are OK.

Edited by SifuMike, 31 October 2008 - 05:42 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Davis Engeler

Davis Engeler
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 31 October 2008 - 06:21 PM

Well this really sucks. :thumbsup:

I'm going to ask a few questions if you don't mind. I know you probably wouldn't be able to answer them all, but it can't hurt to ask.

-How was I infected with this?
-When was I infected?
-Are my other computers on my router affected?
-If I did format, could I safely take some text and files and transfer them to a flash drive to put on the computer later?
-It kind of went on and off with being my main computer a while back... was it only infected when I saw the effects because nothing happened until recently and I've done nothing important on the web since then. (I'm sure that made no sense.)

That's all I can think of right now. If it is safe to save a few files on a flash drive, I guess I can just format. Thankfully that's not my primary computer at the moment.

I'm sorry for all the questions but I really appreciate you.

Thanks,
Davis.

EDIT: I'm just going to leave the computer as is for now. Like I said up there ^ I'll just go ahead and reformat if I can keep a few files.

Edited by Davis Engeler, 31 October 2008 - 06:23 PM.


#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:11 PM

Posted 31 October 2008 - 06:32 PM

Hi davis,

How was I infected with this?


No one knows for sure. If we did know, then it would make prevention easy.
It may be caused by visiting an inftected web site or downloading files with a P2P (like Limewire).

-When was I infected?

I cant tell the date without running more programs to look at the file dates.

-Are my other computers on my router affected?

Cant tell without doing scans on them. I suggest you use the most current version of Malwarebytes with Full Scan on each of them.
If you see any TDSS then they are infected too.

-If I did format, could I safely take some text and files and transfer them to a flash drive to put on the computer later?

Yes, they should be OK, but (as a precaution) virus scan all of the files you are going to transfer with your antivirus scanner.


-It kind of went on and off with being my main computer a while back... was it only infected when I saw the effects because nothing happened until recently and I've done nothing important on the web since then. (I'm sure that made no sense.)


That was probably the TDSS infection taking hold. Just a guess. I have to see some file scans to see the date infected.
Sorry to give you such bad news. :thumbsup:

Let me know if you are going to reformat and reload or continue with the malware removal.

Edited by SifuMike, 31 October 2008 - 06:40 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Davis Engeler

Davis Engeler
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 31 October 2008 - 06:47 PM

-It kind of went on and off with being my main computer a while back... was it only infected when I saw the effects because nothing happened until recently and I've done nothing important on the web since then. (I'm sure that made no sense.)

That wasn't what I meant with that. :)
I meant to say that I used it on and off as my primary computer a while back. I haven't used it for anything on the web really for a while (and none since I saw something going on). Ugh. I don't really know what to do. I've got stuff on there from when I was first starting computers that I don't want (such as torrent clients and stuff). I'm thinking I'll just get the few files I want to keep and formatting. :)

If you think that's a good decision please help me with that. I'm just confused and upset. :thumbsup:

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:11 PM

Posted 31 October 2008 - 07:03 PM

Ugh. I don't really know what to do. I've got stuff on there from when I was first starting computers that I don't want (such as torrent clients and stuff). I'm thinking I'll just get the few files I want to keep and formatting

.

I suggest you take your time and think about it awhile. There is no rush on a decision like this. In the meanwhile, disconnect this computer from the internet.
Perhaps you may want to make your decision tomorrow or the next day, when your mind is clearer.
I know this is not an easy decision to make.

If you think that's a good decision please help me with that. I'm just confused and upset


If I were you I would reformat and reload, as it is the only way to really be sure all the malware is gone; however, only you can decide.

If you decide not to reformat and reload, then I will do my best to removal all traces of it from your computer.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Davis Engeler

Davis Engeler
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 31 October 2008 - 07:16 PM

Alright. I have had the computer unplugged from the internet since I saw something was happening. Since it's not my main computer, there's just a few programs and text from it I want. I think I will just reformat, but I have no idea about doing that. As long as nothing can get worse while it's off the net I can think a little better. :thumbsup:

I'll reply later on and let you know what I'm ready to do.

Thanks very much for your help,
Davis.

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:11 PM

Posted 31 October 2008 - 08:34 PM

Your very welcome. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Davis Engeler

Davis Engeler
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 03 November 2008 - 12:07 PM

Ok. I've decided to reformat. I've got the few documents I want to save on a flash drive, so I guess I'm ready. Could you help me with this?

Thanks again,
Davis.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users