Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unidentified malware infection


  • Please log in to reply
9 replies to this topic

#1 aemaslin

aemaslin

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 23 February 2009 - 12:13 PM

Hi there,

I have previously been infected with malware, can't remember exactly the name, but i was able to identify and successfully remove it with anti malware software, because it gave the name of the virus in the little yellow speech bubble error message that was appearing in the bottom r-hand corner, so i was able to look on this site and work out how to remove it. The same anti-malware programme won't work for this new infection, and neither will 'search and destroy' anti-spyware. Although it detects infections such as 'win32 agent.pz' and 'microsoftwindowssecuritycenter_disable' it will not remove them.

The error messages I have been recieving are:

yellow/ cream coloured speech bubble in the bottom r/hand corner which asks me to scan with anti-spyware. If i click on it, it takes me to 'antispyware xp'

grey popups, announcing shutdown of win32 programme

countdown timer of system shutdown (does not look legit)

desktop background has been changed to flashing warning message on black screen, has spelling errors so clearly not legit.

Also, cannot connect to internet at all now, although at first it just slowed down connection process and would not let me vist bleeping computer website.

I have AVG antivirus, but is not picking this up- i suspect it has been disabled and somehow is still registering as enabled.


Any help would be really appreciated, i'm a 3rd year uni student and have loads of deadlines coming up and need my computer working again!!

Cheers!

BC AdBot (Login to Remove)

 


#2 aemaslin

aemaslin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 23 February 2009 - 12:17 PM

Forgot to say- I think the software I used for the previous infection was MBAM, but it failed to work when I ran it this time and now the infection seems to have removed it from my computer!

#3 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:41 AM

Posted 23 February 2009 - 01:42 PM

Hi and welcome to BC...

Let's take a look at the Malwarebytes log. Please update and rerun MBAM. Thanks!

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#4 aemaslin

aemaslin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 23 February 2009 - 04:25 PM

Hi!

After I posted my original message, i download MBAM onto a memory stick to try and install it on my laptop from another computer, as i couldn't connect to the internet. when i got home, i tried to boot up my computer, but now all it does is ask for my windows password, and then it briefly shows the desktop and then displays an error message on a blue background that takes up the whole screen. i don't get a chance to read it cos it just restarts the computer and does the same again. i left it for a couple of hours and tried again, but still just resets itself. Does this mean it's broken for good now?!
thanks!

#5 aemaslin

aemaslin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 23 February 2009 - 05:11 PM

one more thing, before it started doing the error message-restart cycle, the last scan i did with spybot s&d showed up the following:

microsoft.WindowsSecurityCenter.disabled
virtumonde
win32.clicker.vp
win32.delf.vc
win32.tdss.rtk
win32.winlagons.co

thanks again

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:41 AM

Posted 23 February 2009 - 09:14 PM

win32.tdss.rtk


We have a problem here...

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

Let me know how you wish to proceed.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 aemaslin

aemaslin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 24 February 2009 - 07:45 AM

uh oh!! That sounds pretty serious! Unfortunately I have no way of backing my computer up at the moment. I don't really use it for anything other than word processing, music and internet/email, and am the only user. I do have internet banking, but I changed my passowrd on a different computer once I realised I might be infected. So I would like to proceed with teh removal, if that's possible, as my laptop won't let me log into windows?

Thanks for your advice!

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:41 AM

Posted 24 February 2009 - 08:23 AM

We need to move you to the HJt forum. They have more advanced tools to deal with this type of infection...

Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know. Best wishes - you are in good hands...

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 aemaslin

aemaslin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 24 February 2009 - 09:27 AM

Thanks- will save to a memory stick and install when I get home- will i still be able to do this without being able to log into windows?

#10 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:41 AM

Posted 24 February 2009 - 12:37 PM

The HJT likes you to run it from normal mode, but if that doesn't work, try safe mode and note why it was run that way. If you can't get that to work, please tell them in your post. Point them here so they can what we have done to this point.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users