Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tricky virus


  • This topic is locked This topic is locked
13 replies to this topic

#1 Andy8

Andy8

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 01 December 2008 - 07:16 AM

Hello.I have read the tutorials above but that didn't solve my problem.First of all,i will tell the whole "story", so that you can understand something of what i'm trying to say.I have reinstalled my operating system(Windows XP Pro)a few months ago,and from a couple of weeks my pc started acting weird:while i was working with programs or browsing on the internet it froze for a few seconds,programs stopped responding to any commands and i had to restart it(the pc) in order to make it work again.Now i am not a rookie in using my pc.I have enough experience and i had a lot of trouble with viruses before.So i decided to format my hard disk.I had put all my stuff in one folder and i wrote that folder to a dvd.I reinstaled the operating sistem and i fomarted my hard disk,and when i had opened my dvd,the virus got back in my pc.Now everything work as bad as before,slow and processing very hard and sometimes programs crash,so i have to end them with task manager and start them again.I had scaned the "infected" folder before writing to the dvd with Avast!,NOD32,Kaspersky,Ad-Aware,Spybot-SD,Avira Antivirus,a-squared (from EMSI) and even with the scanner from comodo firewall but none found anything.With all these programs i had performed a full system scan also,and NOD32 found a trojan downloader and Ad-Aware found a Monitoring tool of TAI 10 and also a Trojan.But that was before i had instaled again my operating system.Now it seems that the virus is on my dvd and again in my pc and i have no idea of how getting rid of it,i had scanned once again my dvd but nothing was found.I hope you understood something,i am also a little bit disperate right now :thumbsup: .If someone has any suggestions then pls help me.Thank you!

BC AdBot (Login to Remove)

 


#2 scff249

scff249

    Indecisive Lurker


  • Members
  • 1,319 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:05:02 PM

Posted 01 December 2008 - 08:10 AM

Just a quick preliminary before the higher ups give you instructions.

Are you saying you have multiple Antivirus programs on your PC? If so, you should only keep one as having multiple AV's can cause problems on your PC.

Edited by scff249, 01 December 2008 - 08:12 AM.

"Ototo'i wa usagi o mita no...Kino wa shika...Kyo wa anata." -Kotomi Ichinose (Clannad) [see below for translation]
"Day before yesterday I saw a rabbit, and yesterday a deer, and today, you." -The Dandelion Girl
"You are not alone, and you are not strange. You are you, and everyone has damage. Be the better person." -Katawa Shoujo


#3 Andy8

Andy8
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 01 December 2008 - 08:23 AM

No no no no no no...i have installed one antivirus and uninstalled the other one,so i had only 1 virus at time ,not 2.
A weird thing is that 5 minutes ago i got that error that was saying that remote procedure call has encountered a problem and my system will reboot.Now i have set it to take no action at next failure.I hope this tip helpes also because i have met with this along time ago.

#4 scff249

scff249

    Indecisive Lurker


  • Members
  • 1,319 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:05:02 PM

Posted 01 December 2008 - 10:04 AM

If possible, just try to keep to one antivirus instead of having to switch to other antivirus programs. It's usually better to stick with one and keep that (unless you have a specific reason for switching like dissatisfaction with the program, going from paid to free, etc).

From quietman7:

No single product is 100% foolproof and can detect and remove all threats at any given time. The security community is in a constant state of change as new infections appear. Each vendor has its own definition of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another. Thus, a multi-layered defense using several anti-spyware products (including an effective firewall) to supplement your anti-virus combined with common sense and safe surfing habits provides the most complete protection.


Just to know, is anything that you currently have installed now detecting anything (also, can you list what you have installed)?

Other than that, someone should hopefully come and give you some tools to scan with (if there isn't anyone after 24 hours, post here or PM me and I'll find someone to help you). They're usually good about getting to people, so there shouldn't be much worry.

EDIT: Just to add, you can have multiple Antispyware/malware programs so long as they don't conflict with each other and the AV....and shutting up.

Edited by scff249, 01 December 2008 - 10:16 AM.

"Ototo'i wa usagi o mita no...Kino wa shika...Kyo wa anata." -Kotomi Ichinose (Clannad) [see below for translation]
"Day before yesterday I saw a rabbit, and yesterday a deer, and today, you." -The Dandelion Girl
"You are not alone, and you are not strange. You are you, and everyone has damage. Be the better person." -Katawa Shoujo


#5 Andy8

Andy8
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 01 December 2008 - 10:51 AM

First of all,thank you for your answers.I have tried the variety of antiviruses because i just wanted to test them,to see which is better.Now i have installed comodo firewall,avira antivirus and ad-aware.

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:02 PM

Posted 01 December 2008 - 08:37 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 Andy8

Andy8
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 02 December 2008 - 12:15 AM

Malwarebytes' Anti-Malware 1.30
Database version: 1443
Windows 5.1.2600 Service Pack 2

12/2/2008 7:12:58 AM
mbam-log-2008-12-02 (07-12-58).txt

Scan type: Quick Scan
Objects scanned: 40365
Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Nothing was found.And to make this situation even more complicated,i was playing a game and suddenly my pc had restarted with no warning...i am in a really big confusion now.

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:02 PM

Posted 02 December 2008 - 08:30 AM

Restarts maybe caused by hardware as well as software...

Let's do this... rescan with Ad Aware, but do not clean your infection. Browse to the detected file and submit it here: Jotti's Please post back the results.

Thanks!

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 Andy8

Andy8
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 02 December 2008 - 04:43 PM

I have some "good" news.Ad-aware has found a malware of TAI 10(lucke me :thumbsup: ) and i have submitted the files to the link from rigel.One is the rar package,and the other one is the .exe from it.I will post both of them.A strange thing is that a i got this file yesterday and i have installed my OS more than 2 days.Strange...

File: coduo_minimizer115a.zip
Status:
INFECTED/MALWARE
Scan taken on 02 Dec 2008 21:38:44 (GMT)
A-Squared
Found Trojan-Dropper.Delf!IK
AntiVir
Found BDS/Delf.ijc
ArcaVir
Found Trojan.Downloader.Delf.Apy
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found BackDoor.Generic9.AOBO
BitDefender
Found Backdoor.Generic.105299
ClamAV
Found Trojan.Delf-5306
CPsecure
Found BackDoor.W32.Delf.ijc
Dr.Web
Found nothing
F-Prot Antivirus
Found W32/Backdoor2.CGGA
F-Secure Anti-Virus
Found Backdoor.Win32.Delf.ijc
G DATA
Found nothing
Ikarus
Found Trojan-Dropper.Delf
Kaspersky Anti-Virus
Found Backdoor.Win32.Delf.ijc
NOD32
Found probably a variant of Win32/Delf (probable variant)
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found Mal/Generic-A
VirusBuster
Found nothing
VBA32
Found Backdoor.Win32.Delf.ijc



the .exe unpacked from the rar

Scan taken on 02 Dec 2008 21:36:43 (GMT)
A-Squared
Found Trojan-Dropper.Delf!IK
AntiVir
Found BDS/Delf.ijc
ArcaVir
Found Trojan.Downloader.Delf.Apy
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found BackDoor.Generic9.AOBO
BitDefender
Found Backdoor.Generic.105299
ClamAV
Found Trojan.Delf-5306
CPsecure
Found BackDoor.W32.Delf.ijc
Dr.Web
Found nothing
F-Prot Antivirus
Found W32/Backdoor2.CGGA
F-Secure Anti-Virus
Found Backdoor.Win32.Delf.ijc
G DATA
Found nothing
Ikarus
Found Trojan-Dropper.Delf
Kaspersky Anti-Virus
Found Backdoor.Win32.Delf.ijc
NOD32
Found probably a variant of Win32/Delf (probable variant)
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found Mal/Generic-A
VirusBuster
Found nothing
VBA32
Found Backdoor.Win32.Delf.ijc


Just want to add one more thing:ad-aware has also found some internet explorer cookies of TAI 3 but i don't think that should be the real problem.

Edited by Andy8, 02 December 2008 - 04:46 PM.


#10 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:02 PM

Posted 02 December 2008 - 08:22 PM

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#11 Andy8

Andy8
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 03 December 2008 - 04:59 AM

SDFix: Version 1.240
Run by Andy on Wed 12/03/2008 at 07:19 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 07:21:22
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Xfire\\Xfire.exe"="C:\\Program Files\\Xfire\\Xfire.exe:*:Enabled:Xfire"
"D:\\Call of Duty\\CoDMP.exe"="D:\\Call of Duty\\CoDMP.exe:*:Enabled:CoDMP"
"D:\\Call of Duty\\CoDUOMP.exe"="D:\\Call of Duty\\CoDUOMP.exe:*:Enabled:CoDUOMP"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :



Files with Hidden Attributes :


Finished!



None....should i try it with Hijackthis?Should i post a log?

#12 Andy8

Andy8
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 03 December 2008 - 01:08 PM

If anyone has any suggestions please feel free to post,i really don't know what to do in this situation.It's like i'm fighting with the invisible virus... :thumbsup:

Edit:I have scanned once again my pc with ad-aware and look what it has found :flowers:

Posted Image
Posted Image

Edited by Andy8, 03 December 2008 - 03:12 PM.


#13 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:02 PM

Posted 03 December 2008 - 06:27 PM

It is time to move to the HJT forum. Please follow this guide beginning at step (6). Post your log to the HJT forum and someone will be with you as soon as they can. You will be in good hands.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:02 PM

Posted 05 December 2008 - 12:05 AM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users