Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm 99% sure I'm infected, but I don't know by what at all


  • Please log in to reply
8 replies to this topic

#1 Noah N

Noah N

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 04 December 2008 - 12:38 AM

I hope I'm doing this right, but I don't have the mental energy anymore to read all of the procedures.. I feel so drained from trying to fight this by myself, so I'm sorry if I've done anything stupid or wrong. I also don't know what's relevant information, so I'm sorry if this post is a long read.. But, I really don't know what to do or how to get help. I am literally going to type out everything I know and remember.

If this post looks too long to read, scroll down to the bottom where it says "Why I think I'm infected"

Here's my story:
I'm not really that smart when it comes to malware and infections, so I don't even really know when I first got infected. I know that for a while now I've been getting pop-ups in firefox whenever I go to "questionable" sites (best way I can describe, meaning I don't get pop-ups from youtube, but I do get pop-ups from like entensity and even imageshack for example). I'm pretty sure that I'm not supposed to be getting pop-ups, because my friends don't get them, and we all use firefox. Also, I keep getting this "dumb test" pop-up, but that's the only recurring one I can think of (I never really paid attention to the pop-ups because I didn't realize they weren't normal until last night)

This was the first event that I can recall:
I think a couple months ago was the first time I knew I was infected and had to take action. I got a series of pop-ups which immediately sent my computer into a clicking/crunching frenzy, and then it started shutting itself down and restarting. When it started itself back up, the task manager was "disabled by an administrator" and I was getting an obviously planted bubble message telling me I'm infected and I should get their product. Unfortunately I don't remember what the product was, because I've never been through this kind of thing before and didn't think to remember.

All I had as "protection" at the time was Spybot S&D and Ad-Aware, but I couldn't run them because the infections were blocking it. I think I solved that problem by going into safe mode, and I think doing a system restore and/or I may have had to change the spybot exe to have a "1" at the end to stop it from being blocked. After running those two programs, I seemed to have gotten rid of everything at the time.

I think during those scans I remember it recognizing and removing Smitfraud.C (At least I think it had the .C at the end) and *maybe* Virtumonde, but I can't remember.

Second Event:
I think it was about a week after the first event, pretty much the same exact thing happened, but this time I had Spybot's TeaTimer, and it recognized Smitfraud trying to do something, and I was able to block it. Then, I think a day later it happened again, but this time much worse. I don't remember details very well at all, but I remember finding a file called bratsk.exe in my c:\windows\ folder, and I used google to find someone offer the suggestion of running Spybot S&D, Malwarebytes' Anti-Malware, SUPERAntiSpyware, SpywareBlaster, and CCleaner in that order.

I ran all of those in safe mode I think, including Ad-Aware too, and it seemed to fix my computer again.

Fast Forward to December 2nd 2008:
This is when I went to entensity, and I'm pretty sure I got 2 or 3 blank pop-ups behind the main firefox window, and my computer started clicking/crunching heavily, and I looked at task manager. There were about 10 different processes I've never seen before, all presumably installing themselves. My freaked-out panic reaction caused me to hit the restart button on the front of my computer. I'm pretty sure my computer crashed about 3 times in a row trying to start-up, and although safe mode worked, I couldn't for the life of me get any of the aforementioned anti-virus scanners to even load. I don't recall exactly how I got the computer to start up normally, but somehow I did get back into normal mode without a crash.

TeaTimer immediately gave me about 20 warnings in a row of different programs trying to change start-up settings and registry settings. At this point, I tried to scan with Spybot, and it gave me some kind of warning about "scanner manually disabled by user," and then showed a bunch of errors for every single item it tried to scan.

So, I went back into safe mode, and did a system restore to Nov 30th, and that fixed the scanners from not working, so I did all 4 of my scans in safe mode overnight. At the time I didn't know that you can set SUPERAntiSpyware to scan the entire computer, instead of just the default settings of "only known files" or something like that.

So, after that.. I did all 4 scans again (Spybot, Ad-Aware, Malwarebytes', SUPERAntiSpyware) in normal mode, and it found some more things in the System Volume Information folder.

This is where I may have done some stupid things, although I don't see any bad signs, so maybe not. After all those scans, I still didn't feel clean, so I inspected the c:\windows\ folder and the c:\windows\system32\ folder and sorted by recently modified. There were some of the .exe files all created at the time of infection, so I looked them up in google to make sure they were spyware, then deleted them manually. I wish I could tell you what they were, but they seemed like random letters. I think I remember seeing "_32" on the end of most of them.

Again, I remind you I pretty much have no experience in dealing with this except for what I've told you. At this point, I did a system search for any files created on that day, and deleted any files that were created within 2 minutes of the time of infection. The only two files I didn't delete were something that warned me it potentially could be the death of my computer if I deleted them.

The two files are still on my computer, and I'll post where they're located. The first one was created at 5:00 am (time of infection), and the second was created at 5:26 am, which I guess is when I logged onto Administrator in safe mode:

C:\Documents and Settings\Noah Nelson\Application Data\Microsoft\Crypto\RSA\S-1-5-21-789336058-1123561945-839522115-1003\e0e842231b38cecaa50a1eaeb44b3f22_c52aa906-a33a-44ad-bec8-f23254680db5

C:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-789336058-1123561945-839522115-500\e0e842231b38cecaa50a1eaeb44b3f22_c52aa906-a33a-44ad-bec8-f23254680db5


I think it was at this point where, in a search about the system volume information folder which showed up two scans in a row by the same scanner, I found information that turning off system restore and turning it back on would delete any viruses in there, at the cost of all system restores. And, I did that.. I made a new system restore right after that.

After all that, basically everything else I've done has been re-running scans, restarting, running them again to see if anything popped up again, finding 1 or two infections every once in a while. And, on the side I've been searching google for possible solutions. That's how I ended up here, but unfortunately I tried to take matters into my own hands again after reading a similar problem on these forums (I hadn't read the warning about it being potentially harmful to follow instructions meant for others). Hopefully I didn't do anything stupid..

Today:
The thread I saw was someone complaining about a "dumb test" pop-up, which is what I searched for to find the thread in the first place. They were told to get ATF-Cleaner, and SUPERAntiSpyware and run both in safe mode. So, I did that.
Then they were told to run VundoFix in normal mode and VirtumundoBeGone in safe mode, and I did both, following the instructions. VundoFix found and removed 2 files, and as far as I can tell VirtumundoBeGone didn't have any negative affects.

Then they were told their Java was out of date, and that's how they probably got infected and they should update. So, I uninstalled all my Java and updated it with the most recent.

They were also told to run an online scanner "like bitdefender," which I tried to run but it wouldn't update, so I couldn't. Then, I tried a different one called Trend Micro housecall, and it reported finding 106 infections, 101 of those being referred to as "adware_memwatcher"

But, for some reason when it started the removal process, my cpu usage went to 100% and iexplorer was running at 99 in the process list, and it didn't move. I let it sit for about an hour, but it never made any progress. I gave up and decided to try again, since it had scanned the first time while I was at work, and I thought maybe if I acted sooner it would work properly. Again, it had the same problem after scanning, and I gave up and took a screenshot of what it reported to find so that I would at least have the file names. I couldn't figure out how to delete any of them manually, and I'll upload the screenshot if it'll help.

Here's what the file names/locations are from what it found:

First section, I forget what it was titled and its not in the screenshot: "1 Infection"
HKU\S-1-5-21-789336058-1123561945-839522115-1003\Software\BestToolbar

Second section, ADWARE_MEMWATCHER: "101 Infections"
C:\WINDOWS\system32\drivers\etc\hosts\127.0.0.1
C:\WINDOWS\system32\drivers\etc\hosts\127.0.0.1

Third section, HTTP cookies: "4 Detected"
Internet Explorer Cache\atwola.com
Internet Explorer Cache\did-it.com
Internet Explorer Cache\revsci.net
Internet Explorer Cache\server iad liveperson.net

(I can't see the bottom of the last url in the screenshot, so I dont know if the spaces are dots, underscores or what)
I cleared Internet Explorer's "temporary internet files" after that, but I don't know if that got rid of anything.

Where I am now:
After this failed, I tried running it in firefox instead, but it wouldn't install/update properly and I couldn't get it to work. So, I saw somewhere else an instruction to run kaspersky online scanner, but then I realized it only creates a log file. It's still running in the background, but it is taking incredibly long, as it seems to be taking about 5 minutes to get through each part of a rar that has 50 parts so far.

At this point, I realized I've exhausted every single idea I've had so far, and my brain has turned to mush. I have no energy because I've been working on this for pretty much 41 hours, the only exceptions being some naps and work. I really need help from someone who knows what they're doing, and I hope I didn't make it immensely difficult or impossible to fix. I'm sorry I didn't come here sooner, and I'll appreciate any help you can offer, even if it's just help in reformatting my harddrive.

Why I think I'm infected, a quick summary:
The reason I think I'm infected is because, even after all my attempts at scanning and cleaning my computer, I'm still seeing pop-ups that I'm pretty sure shouldn't be there. Although, I haven't seen any pop-ups since before using Vundofix, I also haven't gone to any sites that would generally cause my pop-ups. What I have seen since then though, is when a site is pretty much blank with text on it, I see certain key words turned into links, and when I scroll over those links it brings up a small pop-up that chases my cursor, and I don't think that's normal for an uninfected computer.

I also think I'm infected, because I ran Trend Micro's housecall web scanner, and it reported that it found 106 infections, and it only managed to quarantine 1 of them before it froze up and wasn't able to clean anything. I manually deleted the quarantined item after kaspersky found it and showed me where it was being held (which is still running as I type, and that rar is up to part 71).

I would be extremely surprised to find out I'm somehow not infected after all this, but I have no idea what to do at all anymore, and I need help... Thank you to anyone who reads this or tries to help..

------------

Just adding that during a restart I got some kind of warning telling me dw20.exe couldn't initialize because the system was shutting down. I've never seen that before, but I thought any information would be helpful. Also, during startup I was watching the processes and saw something called imapi.exe for the first time. Looking up what they are, they seem to be normal windows processes, but I've never seen either of these until today. But, maybe I'm just being more paranoid and watchful than I've ever been.

Edited by Noah N, 04 December 2008 - 05:08 AM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:01:21 PM

Posted 04 December 2008 - 08:14 PM

For the time being, disable Tea Timer
-----------------------

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Noah N

Noah N
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 04 December 2008 - 08:44 PM

Thank you very much, I just did everything you said and the quick scan finished quicker than I thought it would. It didn't find anything, but I did realize the text ads I was talking about happen on this forum, so I have a picture example for you now. In the image, the ad showing only pops up when my mouse moves over the underlined text. The MBAM log is below the image.

Posted Image

--------------------------------------------------


Malwarebytes' Anti-Malware 1.31
Database version: 1460
Windows 5.1.2600 Service Pack 3

12/4/2008 7:32:45 PM
mbam-log-2008-12-04 (19-32-45).txt

Scan type: Quick Scan
Objects scanned: 52276
Time elapsed: 2 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 Noah N

Noah N
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 04 December 2008 - 09:13 PM

Well, I don't know what's going on exactly.. But, I restarted after that scan and screenshot, and those text-ads aren't appearing right now. I don't know if it's fixed, or if it only shows up when it feels like it. I refreshed/reopened the page quite a few times looking for it, though.

#5 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:01:21 PM

Posted 05 December 2008 - 11:26 AM

Your log is clean
Those pop-ups only appear when you browse the site, but are not logged on. In other words, you're a guest. Once you logon to your account they go away
It's advertising and one of the ways the site makes money to operate
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 Noah N

Noah N
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 05 December 2008 - 02:04 PM

Okay, but what about the infections that the micro trend online scanner found? None of my scanners are able to detect or remove those, and that scanner freezes up before being able to finish. And ad-aware is now reporting this everytime it scans and "removes" it, but it still finds it after another scan, at least after a fresh restart (haven't done it twice in a row yet):

Infections Found
===========================
Family Id: 9999 Name: MRU Object Category: MRU Object TAI:0
Item Id: 1 Value: MRU Path: C:\Documents and Settings\Noah Nelson\Recent Count: 32

(this is the only information I can find that it gives me, it doesn't seem to actually show me a file name)

But, if I'm really clean, then thank you very much for your help in relieving my worries, and I'll just keep on the lookout for anymore real symptoms.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:21 PM

Posted 05 December 2008 - 04:26 PM

MRU stands for Most Recently Used/ This is a listing of the last files you have used.Perhaps similar to a tracking cookie. just delete them as they will be back in some instance as cookies do.
More of a privacy threat than anything else. As some could look in your systemand seee where you have been. But they are not true malware as a virus etc,,, Consider yourself clean. Also an installed fiewall and the application that finds them is prevention for someone looking into your system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Noah N

Noah N
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 05 December 2008 - 06:54 PM

Thank you very much!

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:21 PM

Posted 05 December 2008 - 09:49 PM

You are welcome from all of us at BC.
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users