Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bunch of Trojans hit my machine


  • Please log in to reply
18 replies to this topic

#1 thinktank

thinktank

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 26 January 2009 - 07:58 PM

My machine Acer running winXP has been attacked recently by a family of trojans listed by kaspersky scan:

Trojan.Win32.Agentb.ce
Worm.Win32.AutoRun.eav
Trojan-Downloader.Win32.Suurch.if
Worm.Win32.AutoRun.eav
Rootkit.Win32.Podnuha.bqs
Trojan.Win32.Agent.bkml

I used mbam and 'sort of' fixed it. My problems are not fully over.

1.Kaspersky still report "trojan.win32.agent.bkml" still present
2.Any webpage opened through IE does not show the images file. All images are broken and just a small square appears.
3.I am not sure if the virus/ trojan has been completely removed from the system.

Kindly help me get through the situation. I am so scared to use this only machine which I have. Totally off the internet for about a week now.

Thanks

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:06:48 PM

Posted 26 January 2009 - 08:55 PM

The process of cleaning your computer may require temporarily disabliling some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 thinktank

thinktank
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 27 January 2009 - 04:48 PM

Thanks for your quick reply. Here is the log from mbam

Malwarebytes' Anti-Malware 1.33
Database version: 1699
Windows 5.1.2600 Service Pack 3

27-Jan-09 4:45:28 PM
mbam-log-2009-01-27 (16-45-28).txt

Scan type: Quick Scan
Objects scanned: 63689
Time elapsed: 4 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

But kaspersky still shows the infection.

Cheers

#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:06:48 PM

Posted 27 January 2009 - 07:28 PM

First:
Please reboot the computer
Open MBAM and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan
After scan click Remove Selected, Post new scan log for review
---------------------
Then run Kaspersky and post that log
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 DTech

DTech

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 27 January 2009 - 07:30 PM

I update MBAM then boot into safe mode and scan from there.

#6 thinktank

thinktank
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 28 January 2009 - 04:33 PM

Hi,

This is the result of the full system scan

Malwarebytes' Anti-Malware 1.33
Database version: 1702
Windows 5.1.2600 Service Pack 3

28-Jan-09 4:27:33 PM
mbam-log-2009-01-28 (16-27-33).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 129307
Time elapsed: 1 hour(s), 29 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Cheers

#7 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:06:48 PM

Posted 28 January 2009 - 09:06 PM

What does Kaspersky say now your log is clean
About images not showing read this help article:
http://support.microsoft.com/?kbid=283807

Edited by garmanma, 28 January 2009 - 09:11 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#8 thinktank

thinktank
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 29 January 2009 - 02:59 PM

Surprise.. I was expecting the original virus which were displayed all these days. But that is not seen and I found another one instead.


Here is the report for a full system scan .

Thursday, January 29, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, January 29, 2009 11:02:00
Records in database: 1724238


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\

Scan statistics
Files scanned 75062
Threat name 2
Infected objects 2
Suspicious objects 0
Duration of the scan 03:55:29

File name Threat name Threats count
C:\Documents and Settings\acer\Desktop\virus attack\tools\regtools.vbs Infected: not-a-virus:RiskTool.VBS.DisReg.a 1

C:\yrwmdmle.exe Infected: Trojan-Dropper.Win32.Agent.afvy 1

The selected area was scanned.

------------------------------------------------------------------------------------------------------------------------

I understant the :not-a-virus :RiskTool.VBS.Disreg.a" ... is not a virus . That is the regedit tool that I downloaded when I couldn't get the regedit up and running.

But the 2nd one " Trojan-Droper.Win32.Agent.afvy" ????



Just for your reference the scan that I performed couple of days before showed the following. And it is to address the win32.Agent.bkml that I started this post. Now I have a different trojan !!!


Monday, January 26, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, January 26, 2009 13:00:13
Records in database: 1698223

File name Threat name Threats count
C:\WINDOWS\system32\data.exe Infected: Trojan.Win32.Agent.bkml 1

-------------------------------------------------------------------------------------------------------------------------------------------------------
PS: Your help to fix the broken images problem helped. Thanks a lot. Wonder if the trojens cleared the check box for the "Show Pictures" in the multimedia option of the IE Advanced tab. I know prettty sure I didn't do it.

#9 thinktank

thinktank
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 29 January 2009 - 03:01 PM

I tried to run mbam in safe mode. The system powers down half way through and this is consistent. I am scared if I keep repeating it the hd might crash so I stopped working in safe mode and now all scans are only in normal system.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,733 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:48 PM

Posted 29 January 2009 - 03:17 PM

Scanning with MBAM in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, it loses some effectiveness for detection & removal when used in safe mode because the program includes a Direct Disk Access (DDA) driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Doing a safe mode scan should only be done when a regular mode scan fails.

MBAM has a built-in FileAssassin feature for removing stubborn malware or other malicious files that it did not detect.
  • Go to the "More Tools" tab and click on the "Run Tool" button
  • Browse to the location of the file (C:\yrwmdmle.exe) to remove using the drop down box next to "Look in:" at the top.
  • When you find the file(s), click "Open".
  • You will be prompted with a message warning: This file will be permanently deleted. Are you sure you want to continue?. Click Yes.
  • If removal did not require a reboot, you will receive a message indicating the file was deleted successfully, however, I recommend you reboot anyway.

Caution: Be careful what you delete. FileAssassin is a powerful program, designed to move highly persistent files. Using it incorrectly could lead to serious problems with your operating system.


If the file returns, then you probably still have malware on your system which is protecting or regenerating it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 thinktank

thinktank
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 29 January 2009 - 03:55 PM

I updated the mbam and run a full system scan. It doesn't show this trojan/virus at all . Do I still use toolassassin..

#12 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:06:48 PM

Posted 29 January 2009 - 06:44 PM

Yes, please give it a try and post the log
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,733 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:48 PM

Posted 30 January 2009 - 10:09 AM

It doesn't show this trojan/virus at all

Just because MBAM did not find the file, that does not mean its not present. Kaspersky detected it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 thinktank

thinktank
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 30 January 2009 - 06:40 PM

I run the toolassasin and deleted the file.

C:\yrwmdmle.exe Infected: Trojan-Dropper.Win32.Agent.afvy

But this file (C:\WINDOWS\system32\data.exe Infected: Trojan.Win32.Agent.bkml )which was originally detected by Kaspersky was automatically not detected this time around. I am sure mbam did not detect/fix it nor any of nortan which is running on my machine. Wonder what is happened.

I am planning to run one more full scan and I will post the status.

Meanwhile could you please point me to articles to ensure that the external hard drive and flask drive which I had used during the attack are free of virus.

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,733 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:48 PM

Posted 30 January 2009 - 09:09 PM

Use FileAssassin to check for and remove data.exe if still present.

Please insert your flash drive before we begin. Hold down the Shift key when inserting the drive until Windows detects it to bypass the autorun feature and keep autorun.inf from executing automatically.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users