Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

URGENT: Trojan.Daonol Keeps Popping Up After Malwarebytes Removes It/ Moved


  • Please log in to reply
15 replies to this topic

#1 kokobaby

kokobaby

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:06:35 AM

Posted 14 March 2009 - 04:57 AM

I originally was infected with Bancos.TrojanPWS yesterday and that was removed.
Then I got infected with Trojan.Daonol. I went to the Malwarebytes.org site and started logs there with them, but I can no longer access their site, the server keeps going down. This is VERY URGENT as this is on my Office PC and I have all of our accounting/quickbooks records on this PC. I ran the MBAM and it keeps telling me it's quarantined and removed this Trojan.Daonol, but it's keeps popping back up. It's in the WINDOWS file and the file name is called raedy.vas

I am soooo frustrated, I've tried deleting it, dragging and dropping from WINDOWS into the Quarantine Folder in my PC Tools Internet Security 2009, and renaming it and changing the properties and it just keeps popping back up in the WINDOWS folder, so I put it back the way it was.

This is really scary, I went to this site called VirusReport.com and I submitted the File Name - C:\WINDOWS\raedy.vasx

This is the report I got...

**NOTE**

SEE The Other Viruses Its Listing??? :flowers:
I need help please!!
Thank you,

Lorrie

===================================
File raedy.vasx received on 03.13.2009 09:58:05 (CET)
Current status: Finished

Result: 4/39 (10.26%)


Antivirus Version Last Update Result

a-squared 4.0.0.101 2009.03.13 -
AhnLab-V3 5.0.0.2 2009.03.13 -
AntiVir 7.9.0.114 2009.03.13 -
Authentium 5.1.0.4 2009.03.12 -
Avast 4.8.1335.0 2009.03.12 -
AVG 8.0.0.237 2009.03.13 -
BitDefender 7.2 2009.03.13 -
CAT-QuickHeal 10.00 2009.03.13 Trojan.Delf.juk
ClamAV 0.94.1 2009.03.13 -
Comodo 1051 2009.03.12 -
DrWeb 4.44.0.09170 2009.03.13 -
eSafe 7.0.17.0 2009.03.12 -
eTrust-Vet 31.6.6388 2009.03.09 -
F-Prot 4.4.4.56 2009.03.12 -
F-Secure 8.0.14470.0 2009.03.13 -
Fortinet 3.117.0.0 2009.03.13 -
GData 19 2009.03.13 -
Ikarus T3.1.1.45.0 2009.03.13 -
K7AntiVirus 7.10.668 2009.03.12 -
Kaspersky 7.0.0.125 2009.03.13 -
McAfee 5551 2009.03.12 -
McAfee+Artemis 5551 2009.03.12 -
McAfee-GW-Edition 6.7.6 2009.03.13 Trojan.LooksLike.Agent
Microsoft 1.4405 2009.03.13 -
NOD32 3933 2009.03.13 -
Norman 6.00.06 2009.03.12 -
nProtect 2009.1.8.0 2009.03.13 -
Panda 10.0.0.10 2009.03.12 -
PCTools 4.4.2.0 2009.03.13 -
Prevx1 V2 2009.03.13 High Risk Cloaked Malware
Rising 21.20.41.00 2009.03.13 Trojan.Win32.Nodef.faz
Sophos 4.39.0 2009.03.13 -
Sunbelt 3.2.1858.2 2009.03.13 -
Symantec 1.4.4.12 2009.03.13 -
TheHacker 6.3.3.0.281 2009.03.13 -
TrendMicro 8.700.0.1004 2009.03.13 -
VBA32 3.12.10.1 2009.03.12 -
ViRobot 2009.3.13.1648 2009.03.13 -
VirusBuster 4.5.11.0 2009.03.12 -

Additional information

File size: 13824 bytes

MD5...: a1393446e427cfc38731967476ccd6d7

SHA1..: e2a3695587b993abf3d73c1e28c868d7f846ab50

SHA256: df60afe89f3043d48782bd50108a2147013fd2166a5dc3e7ca44bf291ebf7e43

SHA512: 7c312d01fd1b4e9bc2bb87f8449237348e88a83fc05b859aa4251be64e4ad3c5
67539f0df6bee7e992ca9adf138c0cbb3859921e42e3636e4e4239c31e4f202c

ssdeep: 192:ndL88YOBPH+Z82Jd0xif3ssKcDFB2B8SbKrBXmI33yVRNJWascKbH5:dw1Pdy43fKSFfBX133ON8fcy

PEiD..: -

TrID..: File type identification
Win32 Executable Generic (58.3%)
Win16/32 Executable Delphi generic (14.1%)
Generic Win/DOS Executable (13.7%)
DOS Executable Generic (13.6%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)


PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3738
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x2758 0x2800 6.63 98b5a980173f42b89ce031e8c1363edd
DATA 0x4000 0x160 0x200 3.38 565f7ea841d4eb0692d081c5de8a6d9b
BSS 0x5000 0xf55 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x6000 0x2c2 0x400 3.25 545d26a7844e10be88b1169b54f4bf2d
.reloc 0x7000 0x1fc 0x200 6.02 bc1392ed3d57085d8b13958d9b37e030
.rsrc 0x8000 0x180 0x200 2.70 83c6c22c3bf1555eb044b2185ad56b89

( 2 imports )
> kernel32.dll: GetCurrentThreadId, ExitProcess, UnhandledExceptionFilter, RtlUnwind, RaiseException, TlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc, FreeLibrary, GetProcessHeap
> kernel32.dll: VirtualFree, VirtualAlloc, Sleep, ReadFile, LoadLibraryA, HeapFree, HeapAlloc, GetTickCount, GetProcessHeap, GetProcAddress, GetModuleFileNameA, GetFileSize, GetComputerNameA, FindAtomA, ExitProcess, CreateThread, CreateFileA, CloseHandle, AddAtomA

( 0 exports )

Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=D413EB2F00830EAA36E400B3E89FA800033A4BFD' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=D413EB2F00830EAA36E400B3E89FA800033A4BFD</a>
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=a1393446e427cfc38731967476ccd6d7' target='_blank'>http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=a1393446e427cfc38731967476ccd6d7</a>


+++++++++++++++++++++++++++++++++++++++++

MY NOTES: (One of the AV's listed above that caught the viruses)

Rising AV:
www.online.rising.com.cn/order/KillVirus_EN_Rav.a

=========================================

Malwarebytes' Anti-Malware 1.34
Database version: 1842
Windows 5.1.2600 Service Pack 3

3/14/2009 4:20:03 AM
mbam-log-2009-03-14 (04-20-03).txt

Scan type: Quick Scan
Objects scanned: 65475
Time elapsed: 5 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\raedy.vas (Trojan.Daonol) -> Quarantined and deleted successfully.
================================

I just re-submitted the raedy.vas file to VirusTotal and now I have MORE VIRUSES! :thumbsup:

I think I am going to have to reformat my PC! Ugh!!

File raedy.vas received on 03.14.2009 14:22:52 (CET)

Result: 7/39 (17.95%)


Antivirus Version Last Update Result

a-squared 4.0.0.101 2009.03.14 -
AhnLab-V3 5.0.0.2 2009.03.13 -
AntiVir 7.9.0.114 2009.03.13 -
Authentium 5.1.0.4 2009.03.14 -
Avast 4.8.1335.0 2009.03.13 -
AVG 8.0.0.237 2009.03.14 -
BitDefender 7.2 2009.03.14 -
CAT-QuickHeal 10.00 2009.03.14 Trojan.Delf.juk
ClamAV 0.94.1 2009.03.14 -
Comodo 1056 2009.03.14 -
DrWeb 4.44.0.09170 2009.03.14 -
eSafe 7.0.17.0 2009.03.12 -
eTrust-Vet 31.6.6388 2009.03.09 -
F-Prot 4.4.4.56 2009.03.13 -
F-Secure 8.0.14470.0 2009.03.14 -
Fortinet 3.117.0.0 2009.03.14 -
GData 19 2009.03.14 -
Ikarus T3.1.1.45.0 2009.03.14 -
K7AntiVirus 7.10.668 2009.03.12 -
Kaspersky 7.0.0.125 2009.03.14 -
McAfee 5552 2009.03.13 Vundo.gen.aj
McAfee+Artemis 5552 2009.03.13 Vundo.gen.aj
McAfee-GW-Edition 6.7.6 2009.03.13 Trojan.LooksLike.Agent
Microsoft 1.4405 2009.03.14 -
NOD32 3935 2009.03.13 -
Norman 6.00.06 2009.03.13 -
nProtect 2009.1.8.0 2009.03.14 -
Panda 10.0.0.10 2009.03.14 Trj/CI.A
PCTools 4.4.2.0 2009.03.14 -
Prevx1 V2 2009.03.14 High Risk Cloaked Malware
Rising 21.20.52.00 2009.03.14 Trojan.Win32.Nodef.faz
Sophos 4.39.0 2009.03.14 -
Sunbelt 3.2.1858.2 2009.03.13 -
Symantec 1.4.4.12 2009.03.14 -
TheHacker 6.3.3.0.281 2009.03.13 -
TrendMicro 8.700.0.1004 2009.03.13 -
VBA32 3.12.10.1 2009.03.14 -
ViRobot 2009.3.13.1648 2009.03.13 -
VirusBuster 4.6.5.0 2009.03.13 -

Additional information

File size: 13824 bytes

MD5...: a1393446e427cfc38731967476ccd6d7
SHA1..: e2a3695587b993abf3d73c1e28c868d7f846ab50

SHA256: df60afe89f3043d48782bd50108a2147013fd2166a5dc3e7ca44bf291ebf7e43

SHA512: 7c312d01fd1b4e9bc2bb87f8449237348e88a83fc05b859aa4251be64e4ad3c5
67539f0df6bee7e992ca9adf138c0cbb3859921e42e3636e4e4239c31e4f202c

ssdeep: 192:ndL88YOBPH+Z82Jd0xif3ssKcDFB2B8SbKrBXmI33yVRNJWascKbH5:dw1Pd
y43fKSFfBX133ON8fcy

PEiD..: -

TrID..: File type identification

Win32 Executable Generic (58.3%)

Win16/32 Executable Delphi generic (14.1%)

Generic Win/DOS Executable (13.7%)

DOS Executable Generic (13.6%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3738
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x2758 0x2800 6.63 98b5a980173f42b89ce031e8c1363edd
DATA 0x4000 0x160 0x200 3.38 565f7ea841d4eb0692d081c5de8a6d9b
BSS 0x5000 0xf55 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x6000 0x2c2 0x400 3.25 545d26a7844e10be88b1169b54f4bf2d
.reloc 0x7000 0x1fc 0x200 6.02 bc1392ed3d57085d8b13958d9b37e030
.rsrc 0x8000 0x180 0x200 2.70 83c6c22c3bf1555eb044b2185ad56b89

( 2 imports )
> kernel32.dll: GetCurrentThreadId, ExitProcess, UnhandledExceptionFilter, RtlUnwind, RaiseException, TlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc, FreeLibrary, GetProcessHeap
> kernel32.dll: VirtualFree, VirtualAlloc, Sleep, ReadFile, LoadLibraryA, HeapFree, HeapAlloc, GetTickCount, GetProcessHeap, GetProcAddress, GetModuleFileNameA, GetFileSize, GetComputerNameA, FindAtomA, ExitProcess, CreateThread, CreateFileA, CloseHandle, AddAtomA

( 0 exports )

CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=a1393446e427cfc38731967476ccd6d7' target='_blank'>http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=a1393446e427cfc38731967476ccd6d7</a>
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=D413EB2F00830EAA36E400B3E89FA800033A4BFD' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=D413EB2F00830EAA36E400B3E89FA800033A4BFD

Edited by Orange Blossom, 14 March 2009 - 11:30 AM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,008 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:35 AM

Posted 14 March 2009 - 11:29 AM

Hello kokobaby,

As no specialized logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

PLEASE DO NOT NOW POST LOGS unless a log is specifically requested.

This is VERY URGENT as this is on my Office PC and I have all of our accounting/quickbooks records on this PC.


Is there an IT department for your office?

I went to the Malwarebytes.org site and started logs there with them, but I can no longer access their site, the server keeps going down


Do you have the links to your topic/topics there? We need to know what has been done. Also, if we assist you here, your topics at MalwareBytes will need to be closed.

That said, what is your operating system: Windows XP, Vista etc.?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 kokobaby

kokobaby
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:06:35 AM

Posted 14 March 2009 - 05:09 PM

Hi,

Thank you so much for answering. For some reason I can still get the emails from MalwareBytes but I cannot reach their site due to DNS Errors. I can access the internet to other sites, so I know my browser is still functioning. They told me to run the Dr. Web CureIt program so that's what I am doing right now and I am not liking what I'm seeing. lol
It's saying that my IBMTools files which my PC guy left on the hard drive for future reformatting are infected. One was moved so far and one was moved and incurable. The scan is still running, so I will post that report when the scan is finished. I just pray that this hasn't affected the files left on the hard drive for reformatting/reinstalling Win XP Pro. :thumbsup:

I am the IT specialist for this office. I run my father's business. I am very PC saavy, so I should be able to handle this. I know how to reformat, etc..

Oh, and I copied and pasted the posts from the Malwarebytes Forum, so you have everything thus far, but here is the link to the messages.

http://www.malwarebytes.org/forums/index.php?showtopic=12544

Thank you again!
Lorrie

Edited by kokobaby, 14 March 2009 - 05:13 PM.


#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:35 AM

Posted 14 March 2009 - 07:20 PM

Use a clean computer to follow advancesetup's instructions, I will PM him about your problems

He'll understand
Chewy

No. Try not. Do... or do not. There is no try.

#5 AdvancedSetup

AdvancedSetup

  • Security Colleague
  • 141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:35 AM

Posted 14 March 2009 - 08:11 PM

Hi Orange Blossom,

Since the user is unable to easily visit our site it would be great if you guys can take over from here.

Thanks for the heads up Da Chew

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:35 AM

Posted 14 March 2009 - 08:27 PM

Using the clean computer download and install

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


This will help immunize a usb drive for taking the cureitlog to the clean computer
Chewy

No. Try not. Do... or do not. There is no try.

#7 kokobaby

kokobaby
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:06:35 AM

Posted 14 March 2009 - 09:15 PM

For some reason there isn't an "Attachment" area here like on MBAM's Forum for me to submit my Dr. Web CureIt Report.

Thanks,
Lorrie

#8 kokobaby

kokobaby
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:06:35 AM

Posted 14 March 2009 - 09:22 PM

Hi DaChew,

I saved the Flash_Disinfector.exe file to my desktop and double clicked it and nothing happened. The program won't execute. How odd.

For some reason, I am unable to click on a certain topic here in this Forum to reply to individial posts and there isn't an attachment at the bottom for me to send in the Dr. Web CureIt Report and New HiJackThis Log as requested by the staff at MBAM.

Thank you,
Lorrie

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:35 AM

Posted 14 March 2009 - 09:33 PM

You have to use another computer for the flashdisinfector, it will be blocked on the infected one
Chewy

No. Try not. Do... or do not. There is no try.

#10 kokobaby

kokobaby
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:06:35 AM

Posted 14 March 2009 - 09:38 PM

Hi,

Okay, I don't have a Flash Drive or any External Hard Drives on this PC or the other one. I have another PC in the other room, but I am not sure what you're wanting me to do.

I have copied and pasted the Dr. Web CureIt Report Below.
Thank you,
Lorrie

606208_5cb1a3a8f__tv7216.tmp;C:IBMTOOLSAPPSACCSUPTSUPPORT.EXE/vaultsdsdcmon.dll606208_5cb1a3a8f_;Probably DLOADER.Trojan;;

vaultsdsdcmon.dll606208_5cb1a3a8f_;C:IBMTOOLSAPPSACCSUPTSUPPORT.EXE/vaultsdsdcmon.dll;Archive contains infected objects;;

802816_5b998ece5__tv72CC.tmp;C:IBMTOOLSAPPSACCSUPTSUPPORT.EXE/vaulttgtgupdate.exe802816_5b998ece5_;Probably DLOADER.Trojan;;

vaulttgtgupdate.exe802816_5b998ece5_;C:IBMTOOLSAPPSACCSUPTSUPPORT.EXE/vaulttgtgupdate.exe;Archive contains infected objects;;

SUPPORT.EXE;C:IBMTOOLSAPPSACCSUPT;Archive contains infected objects;Moved.;

spsreng.dll;C:Program FilesCommon FilesSpeechEnginesMicrosoftSR;Trojan.PWS.Rapida.origin;Incurable.Moved.;

sdcmon.dll;C:ProgramFilesSupport.combin;ProbablyDLOADER.Trojan;;

tgupdate.exe;C:Program FilesSupport.combin;Probably DLOADER.Trojan;;A0025761.ocx;C:System Volume

Information_restore{A2C31AE9-DB16-41ED-A576-5A8E89C3AD13}RP162;Adware.Coupons.34;Moved.;

A0031861.dll;C:System Volume Information_restore{A2C31AE9-DB16-41ED-A576-5A8E89C3AD13}RP208;Probably STPAGE.Trojan;;

606208_5cb1a3a8f__tv7216.tmp;C:System Volume Information_restore{A2C31AE9-DB16-41ED-A576-5A8E89C3AD13}RP211A0031958.EXE/vaultsdsdcmon.dll606208_5cb1a;Probably DLOADER.Trojan;;

vaultsdsdcmon.dll606208_5cb1a3a8f_;C:System Volume Information_restore{A2C31AE9-DB16-41ED-A576-5A8E89C3AD13}RP211A0031958.EXE/vaultsdsdcmon.dll;Archive contains infected objects;;

802816_5b998ece5__tv72CC.tmp;C:System Volume Information_restore{A2C31AE9-DB16-41ED-A576-5A8E89C3AD13}RP211A0031958.EXE/vaulttgtgupdate.exe802816_5b9;Probably DLOADER.Trojan;;

vaulttgtgupdate.exe802816_5b998ece5_;C:System Volume Information_restore{A2C31AE9-DB16-41ED-A576-5A8E89C3AD13}RP211A0031958.EXE/vaulttgtgupdate.exe;Archive contains infected objects;;

A0031958.EXE;C:System Volume Information_restore{A2C31AE9-DB16-41ED-A576-5A8E89C3AD13}RP211;Archive contains infected objects;Moved.;

A0031959.dll;C:System Volume Information_restore{A2C31AE9-DB16-41ED-A576-5A8E89C3AD13}RP211;Trojan.PWS.Rapida.origin;Incurable.Moved.;

Edited by Orange Blossom, 14 March 2009 - 10:29 PM.
Remove HJT log as they are not permitted in this forum. ~ OB


#11 kokobaby

kokobaby
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:06:35 AM

Posted 14 March 2009 - 09:55 PM

Are any of you familiar with VirusTotal.com?

You can upload and submit an infected file and it will scan it using multiple AV sites and give you an instant report.

I had submitted one file from the Dr. Web CureIt Report to see what it would say and this was the result.

File Submitted - C:\Program Files\Support.com\bin\sdcmon.dll

See Report Here:
http://www.virustotal.com/analisis/81e4c1e...7f1c95069a78437

It Found These:

DrWeb4.44.0.091702009.03.14DLOADER.Trojan
ViRobot2009.3.13.16482009.03.13Spyware.Agent.Do.606208

I'm thinking my PC is severly compromised right now, and wondering if I should just wipe the hard drive and do a clean reinstall. The only thing is my PC guy put Win XP Pro and the IBMTOOLS files on the hard drive for future reformatting. What do you think? Are those compromised too? :thumbsup:

Thank you,
Lorrie

Edited by kokobaby, 14 March 2009 - 10:09 PM.


#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:35 AM

Posted 14 March 2009 - 10:09 PM

We have a catch 22 situation, we don't accept HJT logs in this forum, our HJT forum is backed up with a long wait.

You could post there but there's another problem, your HJT thread at MBAM forum is open and you can't have 2 open HJT threads in security forums.

I was just trying to get you back online with MBAM and advancedsetup, a usb drive and a clean computer might have worked
Chewy

No. Try not. Do... or do not. There is no try.

#13 kokobaby

kokobaby
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:06:35 AM

Posted 14 March 2009 - 10:15 PM

Hi,

Yea, for some reason I cannot get to my thread's over there. I believe above they said they were just going to delete them and help me over here because for some odd reason when I try to go to MBAM I keep getting a DNS Error? I don't know why, my PC is running very well actually, I am able to surf the net and get email, etc. The Moderator moved my posts over here because there weren't any "specialized logs". I don't know what to do at this point, I have to get this resolved as soon as possible and get this Office PC clean.

Thank you,
Lorrie

#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,008 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:35 AM

Posted 14 March 2009 - 10:36 PM

For some reason there isn't an "Attachment" area here like on MBAM's Forum for me to submit my Dr. Web CureIt Report.

Thanks,
Lorrie


Can you copy and paste the log into the posting area for responses?

Since AdvancedSetup gave carte blanc for BC to assist under the circumstances, AdvancedSetup can close the topic in the MalwareBytes forum and resolve the potential conflict of two open topics on the same thing. :flowers:

I'm . . . wondering if I should just wipe the hard drive and do a clean reinstall.


This is likely to be the quickest option as our HiJack This forum is EXTREMELY busy and it could easily be at least 2 weeks before you get a response there.

The only thing is my PC guy put Win XP Pro and the IBMTOOLS files on the hard drive for future reformatting.


Do you have the discs for these available? Do you have a recovery partition on the hard-drive? Could your PC guy assist you?

If, however, you wish to post in the HiJack This forum after all, go to step 6 in the pinned topic titled Preparation Guide For Use Before Posting A Hijackthis Log. When you have done that, start a new topic in the HijackThis Logs and Malware Removal forum as directed in the Prep Guide to post a new log. Please include a link to this topic in that new topic.

If you cannot get DDS to run, then please post back here for further instructions.

Please let us know what you choose to do.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#15 kokobaby

kokobaby
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:06:35 AM

Posted 16 March 2009 - 07:03 PM

Hi,

Thank you everyone for trying to help me! I have reformatted my PC and rid it of all infections.
You can delete this topic now.

Lorrie




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users