Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

a virus on my computer that program cant find


  • Please log in to reply
27 replies to this topic

#1 MoMo27

MoMo27

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 02 April 2009 - 09:16 PM

I recently caught a virus and had to scan it with Malwarebyte Antimalware. I found the viruses and deleted them, but I wanted to make sure so I scanned my computer again with this website's Panda Active Scan. It said I found 1 infected file and a suspicious file. The infected file was w32/boface.al.worm and the file is under c:\\windows\system32\config\system profile\local settings\temporary internet files\content.IES\kpe3ctmv\test1[1].exe. The problem is my virus scanners are not finding anything wrong with my computer. Everything is clean according to Malwarebyte and Dr.Webcureit. I also have McAfree system on my computer that doesnt find anything.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:04 PM

Posted 02 April 2009 - 09:36 PM

Hello and welcome let's do these and see the logs,

Run ATF and SAS:
From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Now Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 MoMo27

MoMo27
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 02 April 2009 - 11:46 PM

I ran the three programs and it found nothing. Here are the scan logs.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/02/2009 at 11:33 PM

Application Version : 4.26.1000

Core Rules Database Version : 3816
Trace Rules Database Version: 1770

Scan type : Complete Scan
Total Scan Time : 01:40:59

Memory items scanned : 235
Memory threats detected : 0
Registry items scanned : 5707
Registry threats detected : 0
File items scanned : 60269
File threats detected : 0





Malwarebytes' Anti-Malware 1.35
Database version: 1924
Windows 5.1.2600 Service Pack 3

4/2/2009 11:43:28 PM
mbam-log-2009-04-02 (23-43-28).txt

Scan type: Quick Scan
Objects scanned: 67593
Time elapsed: 6 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:04 PM

Posted 03 April 2009 - 10:51 AM

Hi ,I;m suspecting you got it. If you want a secind opinion run this Online scan.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 MoMo27

MoMo27
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 03 April 2009 - 05:49 PM

I ran the scan and you were right. There was an infected file. Here's the scan log.

KASPERSKY ONLINE SCANNER 7 REPORT
Friday, April 3, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, April 03, 2009 21:01:30
Records in database: 2006772
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
G:\
H:\
I:\
J:\
K:\
Scan statistics
Files scanned 61891
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 02:02:23

File name Threat name Threats count
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KPE3CTMV\test1[1].exe Infected: Backdoor.Win32.Lithium.eh 1
The selected area was scanned.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:04 PM

Posted 03 April 2009 - 06:45 PM

Ok, that's good to know Now let's try running SDFix and then an updated MBam.

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.


Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 MoMo27

MoMo27
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 05 April 2009 - 07:01 PM

Sorry I took awhile! Had to write up a report and now I finally got to do this. I did the SDFix scan, but it was really, really fast! I thought it would be a long scan, but it was probably about 15 minutes max. Is that suppose to happen or did I mess it up? I dont think it found anything.... Well, here are the two scans.



SDFix: Version 1.240
Run by Administrator on Sun 04/05/2009 at 04:23 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-05 16:29:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"="C:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe:*:Disabled:BackWeb-1940576"
"C:\\Program Files\\Java\\jre6\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre6\\bin\\javaw.exe:*:Enabled:Java™ Platform SE binary"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Hawkes Learning Systems\\STAT\\ALSTOC.exe"="C:\\Program Files\\Hawkes Learning Systems\\STAT\\ALSTOC.exe:*:Enabled:Statistics"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Wed 5 Nov 2008 196 A.SHR --- "C:\BOOT.BAK"
Mon 9 Mar 2009 20,688 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Mon 9 Mar 2009 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Sat 7 Feb 2004 5,294,080 A..H. --- "C:\hp\patches\42WW1REC\src\App00153.exe"
Sat 7 Feb 2004 452,096 A..H. --- "C:\hp\patches\42WW1REC\src\App00292.exe"
Sat 7 Feb 2004 444,416 A..H. --- "C:\hp\patches\42WW1REC\src\App00491.exe"
Sat 7 Feb 2004 1,838,592 A..H. --- "C:\hp\patches\42WW1REC\src\App02995.exe"
Sat 7 Feb 2004 492,544 A..H. --- "C:\hp\patches\42WW1REC\src\App04827.exe"
Sat 7 Feb 2004 1,401,856 A..H. --- "C:\hp\patches\42WW1REC\src\App05447.exe"
Sat 7 Feb 2004 440,320 A..H. --- "C:\hp\patches\42WW1REC\src\App05705.exe"
Sat 7 Feb 2004 462,848 A..H. --- "C:\hp\patches\42WW1REC\src\App09961.exe"
Sat 7 Feb 2004 15,596,032 A..H. --- "C:\hp\patches\42WW1REC\src\App14604.exe"
Sat 7 Feb 2004 5,256,704 A..H. --- "C:\hp\patches\42WW1REC\src\App16827.exe"
Sat 7 Feb 2004 3,668,992 A..H. --- "C:\hp\patches\42WW1REC\src\App17421.exe"
Tue 10 Feb 2004 696,832 A..H. --- "C:\hp\patches\42WW1REC\src\App18716.exe"
Sat 7 Feb 2004 423,936 A..H. --- "C:\hp\patches\42WW1REC\src\App19169.exe"
Sat 7 Feb 2004 1,157,632 A..H. --- "C:\hp\patches\42WW1REC\src\App19718.exe"
Tue 10 Feb 2004 995,328 A..H. --- "C:\hp\patches\42WW1REC\src\App19895.exe"
Sat 7 Feb 2004 453,632 A..H. --- "C:\hp\patches\42WW1REC\src\App23281.exe"
Sat 7 Feb 2004 453,632 A..H. --- "C:\hp\patches\42WW1REC\src\App24464.exe"
Sat 7 Feb 2004 2,251,776 A..H. --- "C:\hp\patches\42WW1REC\src\App26962.exe"
Sat 7 Feb 2004 481,792 A..H. --- "C:\hp\patches\42WW1REC\src\App29358.exe"
Sat 7 Feb 2004 12,426,752 A..H. --- "C:\hp\patches\42WW1REC\src\App32391.exe"
Sat 7 Feb 2004 12,426,752 A..H. --- "C:\hp\patches\42WW1REC\src\App99990.exe"
Sat 7 Feb 2004 15,596,032 A..H. --- "C:\hp\patches\42WW1REC\src\App99992.exe"
Sat 7 Feb 2004 5,256,704 A..H. --- "C:\hp\patches\42WW1REC\src\App99993.exe"
Sat 7 Feb 2004 5,256,704 A..H. --- "C:\hp\patches\42WW1REC\src\xApp14604.exe"

Finished!




Malwarebytes' Anti-Malware 1.35
Database version: 1924
Windows 5.1.2600 Service Pack 3

4/5/2009 10:56:13 AM
mbam-log-2009-04-05 (10-56-13).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 134624
Time elapsed: 33 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:04 PM

Posted 06 April 2009 - 10:21 AM

You look clean now, do you have any signs of malware on that end?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 MoMo27

MoMo27
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 07 April 2009 - 10:57 PM

Hey! I wanted to make sure that my computer was clean so I scanned it with the online scan again and it actually found the same one and 1 more infected file. I scanned with my mcafee program and it found more virus and hacktools... the hacktools was the sdfix i downloaded from the site... is it safe to use? I scanned it again with dr.webcureit and it found alot of hacktools and folders with infected files... I didnt know what to do so I just did a system restore... Im trying to find out what is a good firewall and antivirus program I should use since I dont want this to happen again... I also plan on doing an online scan again jsut to make sure everything was erased...

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:04 PM

Posted 08 April 2009 - 09:33 AM

Hi, loooks likeyou still have something.. also unfortunately you may have also restored some infections now. most likely you need to start over cleaning. Thar said it appears that the Back door is regenerating and possibly cannot be fully killed. it is of their nature in some cases. Read this about those backdoors. decide if yyou would like to move to HiJackThis forum or not.


One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 MoMo27

MoMo27
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 08 April 2009 - 08:58 PM

Hi! I completely wiped everything from my computer and reinstalled it like it was store bought... Do you think that my computer is safe now?

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:04 PM

Posted 08 April 2009 - 09:29 PM

Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action.
Thanks for letting us know.

Please take a moment to read quietman7's excellent prevention tips in post 17 here
Click>>Tips to protect yourself against malware and reduce the potential for re-infection:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 MoMo27

MoMo27
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 09 April 2009 - 12:57 PM

Hi! I did the factory restore, but I dont have a firewall to protect myself. I downloaded McAfee, MB, and Dr.WebcureIt, but it looks like Im still getting attacked by trojans and spyware. It started when I uninstall this program from the computer that came with the factory restore, but McAfee blocked a virus because I uninstalled that program. I wanted to know if that was suppose to happen?
Another thing, I was wondering if you can recommend me a really good firewall.. My computer doesnt have one right now and I dont know which one is good. I used to have norton firewall on my computer, but I uninstalled it. Im now looking for one that is easy to understand, but very protective. I dont want this to happen again..

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:04 PM

Posted 10 April 2009 - 01:04 PM

Ok for now enable the windows firewall
To enable Windows Firewall, follow these steps:
Click Start, click Run, type Firewall.cpl, and then click OK.
On the General tab, click On (recommended).
Click OK.

Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 MoMo27

MoMo27
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 11 April 2009 - 07:58 PM

I turned off my windows firewall and downloaded commodo firewall instead. I think that would be alot safer then the windows firewall... I also took off mcafee program since it didnt seem to protect my computer much. I hope this works out better tho..




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users