Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

walware and worms?


  • Please log in to reply
25 replies to this topic

#1 Sandi54

Sandi54

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 26 February 2009 - 10:23 PM

:thumbsup: I am having trouble with the computer. I need help. I ran Malware and it found nothing. My avast found malware and a worm which went in the chest but I am still having trouble. Hope you can help. Also when I pull up my computer and try to bring up the c drive it says: RECYCLER\S-8-89-100013524-100026989-100023243-2604.com and I know that can't be good. Need help quick PLEASE!!!!!

Edited by Sandi54, 27 February 2009 - 08:50 AM.


BC AdBot (Login to Remove)

 


#2 Sandi54

Sandi54
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 26 February 2009 - 10:34 PM

Waiting to hear patiently how to proceed.

Edited by Sandi54, 27 February 2009 - 10:20 AM.


#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:11:51 PM

Posted 27 February 2009 - 10:41 AM

Moved to more appropriate forum from HJT
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:51 PM

Posted 27 February 2009 - 10:51 AM

Run disk cleanup

then

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

then disable avast and post a fresh updated MBAM scan log

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/


also post the avast log showing the worm

Edited by DaChew, 27 February 2009 - 10:52 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#5 Sandi54

Sandi54
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 28 February 2009 - 12:22 AM

Malwarebytes' Anti-Malware 1.30
Database version: 1340
Windows 5.1.2600 Service Pack 3

02/27/09 8:56:01 PM
mbam-log-2009-02-27 (20-55-53).txt

Scan type: Full Scan (C:\|)
Objects scanned: 162223
Time elapsed: 53 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.38,85.255.112.95 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.38,85.255.112.95 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{15b417f8-7750-4613-8cc9-7f099b6e7303}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.38,85.255.112.95 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{15b417f8-7750-4613-8cc9-7f099b6e7303}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.38,85.255.112.95 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.38,85.255.112.95 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.38,85.255.112.95 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{15b417f8-7750-4613-8cc9-7f099b6e7303}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.38,85.255.112.95 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{15b417f8-7750-4613-8cc9-7f099b6e7303}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.38,85.255.112.95 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


The avast items in the chest were wrdwn12,14,15,18,21,24,26,27,30,32,33,and 36

#6 Sandi54

Sandi54
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 28 February 2009 - 12:28 AM

Now Avast has come up three times with the RECYCLER worm I mentioned. I went to my computer and tried to pull up the c drive and it started coming up as the worm

#7 Sandi54

Sandi54
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 28 February 2009 - 12:39 AM

This is quick scan that I just did. I did not remove the trojans. Should I??

Malwarebytes' Anti-Malware 1.30
Database version: 1340
Windows 5.1.2600 Service Pack 3

02/27/09 9:37:21 PM
mbam-log-2009-02-27 (21-37-07).txt

Scan type: Quick Scan
Objects scanned: 57387
Time elapsed: 6 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.82,85.255.112.191 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.82,85.255.112.191 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{15b417f8-7750-4613-8cc9-7f099b6e7303}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.82,85.255.112.191 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{15b417f8-7750-4613-8cc9-7f099b6e7303}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.82,85.255.112.191 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.82,85.255.112.191 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.82,85.255.112.191 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{15b417f8-7750-4613-8cc9-7f099b6e7303}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.82,85.255.112.191 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{15b417f8-7750-4613-8cc9-7f099b6e7303}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.82,85.255.112.191 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 Swordie

Swordie

  • Members
  • 792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miami, Florida
  • Local time:10:51 PM

Posted 28 February 2009 - 12:46 AM

Yes, you should. There's no point in an Anti-Malware program if your not going to remove the malware, right?
Who said I couldn't have everything?

#9 Sandi54

Sandi54
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 28 February 2009 - 12:59 AM

I removed and rebooted! The c drive still has the RECYCLER worm in it.


Malwarebytes' Anti-Malware 1.30
Database version: 1340
Windows 5.1.2600 Service Pack 3

02/27/09 9:54:51 PM
mbam-log-2009-02-27 (21-54-51).txt

Scan type: Quick Scan
Objects scanned: 56793
Time elapsed: 5 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.82,85.255.112.191 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.82,85.255.112.191 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{15b417f8-7750-4613-8cc9-7f099b6e7303}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.82,85.255.112.191 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{15b417f8-7750-4613-8cc9-7f099b6e7303}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.82,85.255.112.191 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.82,85.255.112.191 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.82,85.255.112.191 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{15b417f8-7750-4613-8cc9-7f099b6e7303}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.82,85.255.112.191 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{15b417f8-7750-4613-8cc9-7f099b6e7303}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.82,85.255.112.191 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Sandi54, 28 February 2009 - 01:04 AM.


#10 Swordie

Swordie

  • Members
  • 792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miami, Florida
  • Local time:10:51 PM

Posted 28 February 2009 - 01:07 AM

Do a full system Scan. Your report only shows of a Quick Scan.
Who said I couldn't have everything?

#11 Sandi54

Sandi54
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 28 February 2009 - 01:12 AM

Since a full scan takes about an hour I will do it tomorrow. I will shut off the computer and internet for the night for safety

#12 Swordie

Swordie

  • Members
  • 792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miami, Florida
  • Local time:10:51 PM

Posted 28 February 2009 - 01:16 AM

Okay. When you do it, just make sure to give us the report. We can help you more with it.

Sometimes the problems are outside the common areas.
Who said I couldn't have everything?

#13 Sandi54

Sandi54
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 28 February 2009 - 01:25 AM

Thanks! I really appreciate what you do and the time you spend!!!!!

#14 Swordie

Swordie

  • Members
  • 792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miami, Florida
  • Local time:10:51 PM

Posted 28 February 2009 - 01:26 AM

Thanks! I really appreciate what you do and the time you spend!!!!!


Not a problem. Hopefully MBAM will clean out your worm.. If not, we could use Avira or Avast to try to get rid of the worm.
Who said I couldn't have everything?

#15 Sandi54

Sandi54
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 28 February 2009 - 08:48 AM

It shows no infected items. I am afraid to bring up the c drive from my computer. What do you suggest next?


Malwarebytes' Anti-Malware 1.30
Database version: 1340
Windows 5.1.2600 Service Pack 3

02/28/09 5:45:38 AM
mbam-log-2009-02-28 (05-45-38).txt

Scan type: Full Scan (C:\|)
Objects scanned: 160368
Time elapsed: 49 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users