Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I am infected with something


  • Please log in to reply
7 replies to this topic

#1 joepdx

joepdx

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 01 April 2009 - 11:19 AM

Hi,

I woke this morning to find that my computer had spam emailed everyone in my hotmail folder. I run Norton Internet Security, Ran Windows update yesterday which showed my system up to date, and also ran Windows defender which all showed my system as clean. I downloaded Malwarebytes Antivirus and did a quick scan which found no Infections. I am currently running a full system scan using Malwarebytes which has been running for over an hour but has not detected any infections.

I went to the Microsoft website to check on what to look for if you are infected with the Conicker C and it stated that it would add an option to your autoplay. I inserted a Turbo Tax CD into the computer and when Auto play comes up it appears that there is a box at the top for Install Run or Run program. With the Turbotax CD it give me the option to says RunSetup.exe Published by intuit. I did not click on this option.

I am guessing that I am somehow infected with the Conficker? Can anyone provide any additional information on what I should do.

Thanks,

Joe P

BC AdBot (Login to Remove)

 


#2 joepdx

joepdx
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 01 April 2009 - 03:59 PM

I downloaded Malwarebytes Antimaleware and updated the program. I then ran a quick scan and nothing was found. I then did a full full scan which took just over 3 hrs and again nothing was found. Here is the log below. I am running Windows Vista Ultimate 32bit. I am going to download Superantispyware and run a scan with that and will report back.

Malwarebytes' Anti-Malware 1.35
Database version: 1928
Windows 6.0.6001 Service Pack 1

4/1/2009 1:23:30 PM
mbam-log-2009-04-01 (13-23-30).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 159021
Time elapsed: 3 hour(s), 6 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#3 joepdx

joepdx
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 01 April 2009 - 05:14 PM

I ran a scan with SuperAntiSpyware and it did find some harmful files. Here is the log. I am going to download Dr. Web Cure It and scan my system and will follow up with a post

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/01/2009 at 03:01 PM

Application Version : 4.26.1000

Core Rules Database Version : 3823
Trace Rules Database Version: 1779

Scan type : Complete Scan
Total Scan Time : 00:41:04

Memory items scanned : 272
Memory threats detected : 0
Registry items scanned : 7390
Registry threats detected : 0
File items scanned : 103583
File threats detected : 62

Adware.Tracking Cookie
C:\Users\Joeyp\AppData\Roaming\Microsoft\Windows\Cookies\Low\joeyp@account.live[2].txt
C:\Users\Joeyp\AppData\Roaming\Microsoft\Windows\Cookies\Low\joeyp@ad.yieldmanager[2].txt
C:\Users\Joeyp\AppData\Roaming\Microsoft\Windows\Cookies\Low\joeyp@adrevolver[1].txt
C:\Users\Joeyp\AppData\Roaming\Microsoft\Windows\Cookies\Low\joeyp@ads.bleepingcomputer[2].txt
C:\Users\Joeyp\AppData\Roaming\Microsoft\Windows\Cookies\Low\joeyp@ads.bridgetrack[2].txt
C:\Users\Joeyp\AppData\Roaming\Microsoft\Windows\Cookies\Low\joeyp@advertising[2].txt
C:\Users\Joeyp\AppData\Roaming\Microsoft\Windows\Cookies\Low\joeyp@apmebf[1].txt
C:\Users\Joeyp\AppData\Roaming\Microsoft\Windows\Cookies\Low\joeyp@atdmt[2].txt
C:\Users\Joeyp\AppData\Roaming\Microsoft\Windows\Cookies\Low\joeyp@bs.serving-sys[1].txt
C:\Users\Joeyp\AppData\Roaming\Microsoft\Windows\Cookies\Low\joeyp@chitika[2].txt
C:\Users\Joeyp\AppData\Roaming\Microsoft\Windows\Cookies\Low\joeyp@data.coremetrics[1].txt
C:\Users\Joeyp\AppData\Roaming\Microsoft\Windows\Cookies\Low\joeyp@doubleclick[2].txt
C:\Users\Joeyp\AppData\Roaming\Microsoft\Windows\Cookies\Low\joeyp@dynamic.media.adrevolver[1].txt
C:\Users\Joeyp\AppData\Roaming\Microsoft\Windows\Cookies\Low\joeyp@euroclick[1].txt
C:\Users\Joeyp\AppData\Roaming\Microsoft\Windows\Cookies\Low\joeyp@fastclick[2].txt
C:\Users\Joeyp\AppData\Roaming\Microsoft\Windows\Cookies\Low\joeyp@insightexpressai[2].txt
C:\Users\Joeyp\AppData\Roaming\Microsoft\Windows\Cookies\Low\joeyp@media.adrevolver[1].txt
C:\Users\Joeyp\AppData\Roaming\Microsoft\Windows\Cookies\Low\joeyp@media6degrees[2].txt
C:\Users\Joeyp\AppData\Roaming\Microsoft\Windows\Cookies\Low\joeyp@msnaccountservices.112.2o7[1].txt
C:\Users\Joeyp\AppData\Roaming\Microsoft\Windows\Cookies\Low\joeyp@msnportal.112.2o7[1].txt
C:\Users\Joeyp\AppData\Roaming\Microsoft\Windows\Cookies\Low\joeyp@questionmarket[2].txt
C:\Users\Joeyp\AppData\Roaming\Microsoft\Windows\Cookies\Low\joeyp@richmedia.yahoo[2].txt
C:\Users\Joeyp\AppData\Roaming\Microsoft\Windows\Cookies\Low\joeyp@serving-sys[2].txt
C:\Users\Joeyp\AppData\Roaming\Microsoft\Windows\Cookies\Low\joeyp@trafficmp[1].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@2o7[1].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@ad.yieldmanager[1].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@adbrite[1].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@adopt.specificclick[2].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@adrevolver[1].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@ads.pointroll[2].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@advertising[1].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@apmebf[1].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@at.atwola[2].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@atdmt[2].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@bs.serving-sys[1].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@casalemedia[1].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@collective-media[1].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@doubleclick[1].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@dynamic.media.adrevolver[1].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@ehg-mh.hitbox[1].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@fastclick[1].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@insightexpressai[2].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@media.adrevolver[1].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@msnportal.112.2o7[1].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@overture[2].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@questionmarket[2].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@richmedia.yahoo[2].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@serving-sys[2].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@snap9.advertserve[1].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@specificclick[1].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@specificmedia[1].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@statcounter[1].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@superstats[1].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@tacoda[2].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@trafficmp[1].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@www.googleadservices[1].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@www.googleadservices[2].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@www.googleadservices[3].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@zedo[1].txt
C:\Users\Kim\AppData\Roaming\Microsoft\Windows\Cookies\Low\kim@zillow.adbureau[2].txt

Trace.Known Threat Sources
C:\Users\Joeyp\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AQTKTEAG\virusremover2009[1].jpg
C:\Users\Kim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8EP4HUPP\virusremover2009[1].jpg

#4 Aorp

Aorp

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Location:Fredericksburg, VA
  • Local time:06:03 PM

Posted 01 April 2009 - 06:51 PM

Hi,

I woke this morning to find that my computer had spam emailed everyone in my hotmail folder. I run Norton Internet Security, Ran Windows update yesterday which showed my system up to date, and also ran Windows defender which all showed my system as clean. I downloaded Malwarebytes Antivirus and did a quick scan which found no Infections. I am currently running a full system scan using Malwarebytes which has been running for over an hour but has not detected any infections.

I went to the Microsoft website to check on what to look for if you are infected with the Conicker C and it stated that it would add an option to your autoplay. I inserted a Turbo Tax CD into the computer and when Auto play comes up it appears that there is a box at the top for Install Run or Run program. With the Turbotax CD it give me the option to says RunSetup.exe Published by intuit. I did not click on this option.

I am guessing that I am somehow infected with the Conficker? Can anyone provide any additional information on what I should do.

Thanks,

Joe P


I don't think it is conficker...

"The worm can be easily detected and removed by users. For example, if a PC is unable to reach Web sites such as McAfee.com, Microsoft.com, or TrendMicro.com, that is an indication that the computer may be infected."

A quote from an article released about the conficker worm.

This is the original article

I'm not an expert, assume I'm wrong. :thumbsup:
"I hate quotations."
-Ralph Waldo Emerson

#5 KonamiYoto

KonamiYoto

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:03 PM

Posted 01 April 2009 - 07:11 PM

If Malwarebytes found nothing, I'm guessing that you were hacked.
Do you have MSN? If you do, it could be this virus going around, if you click this .exe file on MSN. That also would cause this.

I'll research this and see if I find anything.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:03 PM

Posted 01 April 2009 - 07:54 PM

Hi, this was not conflicker,MBAM would have found it. i suspect it was a case of "Spoofing". Here are some details from CERT on that.
Spoofed/Forged Email
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 joepdx

joepdx
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 01 April 2009 - 08:36 PM

I ran DrWebCureIt from SafeMode and after a long scan no virus was found. I am familiar with spoofing and social engineering and did not give my password to anyone and it is something that would be difficult to guess. When I got my new computer it came with Window Messenger which loads at start up but I never sign in. I have tried to disable it from loading at start up but I was unable. I changed all my passwords and online banking password just in case. I am guessing the 62 threats found by SuperAntiSpyware were not viruses but just normal files on the computer? After running the 3 scans I am thinking my computer is clean but it is disheartening. Would you take any further action beyond changing your passwords? Thanks

Just one last piece of info is that the emailing took place at 4:11am. Multiple emails were generated and many failed to go through. My wife was in my contact list and the email she received from me had the following content

Subject line: "No Subject"

Dear Friend,

How are you doing recently. I would like to introduce you to a company which I knew. Offering electronic equipment.....ect. It then listed a website buy-hot.net and their email buyhot@188.cpm

Hope you have a good mood shopping from their company.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:03 PM

Posted 01 April 2009 - 10:30 PM

Hello, yes super found a lot of tracking cookies, they are not serious malware and 2 traces of a remaval tool.
Is this Windows Messenger Live?
I have a few more suggestions in response to those good steps you have taken. use stronger passwords on your Email accounts.

If you don't use messenger and don't want the exposed risk Remove it.

Please uninstall any of the following program(s) using Add/Remove Programs if they are present. They are often bundled with the malware causing your problems. To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove.

Messenger Plus! Live & Sponsor (CiD)
CiD Help
CiD Manager
Bitdownload
Bitgrabber
BitRol
Download Plugin for Internet Explorer
Get-Torrent
Netpumper
Search Plugin
Torrent101
W3player
WinZix
Zone Media

While uninstalling any of the above, if you are asked for a Verification code, please enter the numbers that appear in the window. When done, be sure to reboot your computer. <- Important!

If you want to keep it then use this... How to install Messenger Plus! Live without the Sponsor.


Now let's do one more short scan.

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users