Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection: Trojan.Generic & Application - NirCmd


  • Please log in to reply
5 replies to this topic

#1 DenPar

DenPar

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 02 February 2009 - 11:55 AM

Hello,

Here are my infections as described by Spyware Doctor:
Threat: Trojan.Generic
Type: Registry Key
Risk Level: Medium
Infection: HKEY_USERS\S-1-5-21-3991344318-172546020-999913125-1006\Software\Wget

Threat: Application.NirCmd
Type: Registry value
Risk Level: Info PUAs
Infection: HKEY_LOCAL_MACHINE\SOFTWARE\swearware.combofix_wow

Threat: Application.NirCmd
Type: Registry value
Risk Level: Info PUAs
Infection: HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs

Threat: Application.NirCmd
Type: Registry value
Risk Level: Info PUAs
Infection: HKEY_LOCAL_MACHINE\SOFTWARE\swearware, snapshot

Threat: Application.NirCmd
Type: Registry Key
Risk Level: Info PUAs
Infection: HKEY_LOCAL_MACHINE\SOFTWARE\swearware

Threat: Application.NirCmd
Type: Registry Key
Risk Level: Info PUAs
Infection: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME,

Threat: Application.NirCmd
Type: File
Risk Level: Info PUAs
Infection: C:\ComboFix\nircmd.com

Threat: Application.NirCmd
Type: Folder
Risk Level: Info PUAs
Infection: C:\ComboFix\

When this happened I was viewing a news video from what I thought was a safe website. Suddenly, a box appeared that said something like: “Trojan detected. You need to download Antivirus 2010.” I cant remember the exact message because it freaked me out. The message made it seems like a legitimate message, but I had read where one cannot be sure. So I did not comply and that's when Spyware Doctor informed me of the above threats.

Everything seemed to be OK until I turned off my computer and then started it up this morning. The boot froze and a message appeared as: “Please select operating system to start.” Below that the choice was recovery or Windows xp. Then the message went away and the computer started up normally.

I thought I should check with someone to make sure there's not something going on.
Thanks

Edited by DenPar, 02 February 2009 - 11:57 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:58 PM

Posted 02 February 2009 - 12:19 PM

You should not be using Combofix unless instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Combofix was never meant to be used as a general purpose malware scanner like SuperAntispyware or Malwarebytes' Anti-Malware. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

Certain embedded files that are part of legitimate programs or specialized fix tools such as Combofix may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted program", or even "malware (virus/trojan)" when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, registry fixes and malware strings it contains.

Some common detections include NirCmd which is a command-line utility that allows writing to and deletion of values and keys in the registry and Catchme which is a rootkit scanner that detects all userland rootkits.

Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "False Positive".

The alert to download Antivirus 2010 is a separate issue. Please download Malwarebytes Anti-Malware (v1.33) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Notes: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes. Click this link to see a list of programs that should be disabled.

Edited by quietman7, 02 February 2009 - 12:20 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 DenPar

DenPar
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 02 February 2009 - 01:38 PM

Hello,

The one and only time I have used combofix was under the direction and instruction of Miekiemoes. Please see the link below:

http://www.bleepingcomputer.com/forums/t/198233/infected-with-trojanagentawde/

I followed her instructions to the letter. If something or some program remained on my computer, I cannot say. I simply followed instructions. Do I need to do anything to get combofix off my computer?

Here is the log you requested:

Malwarebytes' Anti-Malware 1.33
Database version: 1716
Windows 5.1.2600 Service Pack 3

2/2/2009 12:15:55 PM
mbam-log-2009-02-02 (12-15-55).txt

Scan type: Quick Scan
Objects scanned: 57468
Time elapsed: 8 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Dennis Parmenter\Local Settings\Temporary Internet Files\Content.IE5\WX6Y3ASH\AV2010Installer[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.

I appreciate very much your assistance. If I did something wrong when while with Miekiemoes, please let me know. Or if I need to correct something I did while working with Miekiemoes, please let me know. I try to follow instructions and play my the rules.

Thanks...Dennis

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:58 PM

Posted 02 February 2009 - 02:05 PM

The one and only time I have used combofix was under the direction and instruction of Miekiemoes

Then that was ok. You were being helped by one of the best.

Please download OTCleanIt.exe and save to your Desktop.
  • Connect to the Internet and double-click on the file to launch the program.
  • Click on the green CleanUp! button.
  • If you get a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the Internet, please allow the connection.
  • When it has finished, OTCleanIt will ask you to reboot so it can remove itself.
-- Note: Doing this will remove any specialized tools (including this one) downloaded and used.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 DenPar

DenPar
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 02 February 2009 - 02:20 PM

Done...thank you again for your help

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:58 PM

Posted 02 February 2009 - 02:25 PM

You're welcome.

Now you should Create a New Restore Point to prevent possible reinfection from an old one to enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection: Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smrgsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users