Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multipul infections


  • Please log in to reply
11 replies to this topic

#1 JJ133169

JJ133169

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 08 April 2009 - 09:12 AM

hey all. i recently was infected with something nasty. i did some research, and thought i was infected with conflicker. then i realized conflicker didnt have a MS 2009 Antivirus popup. so i wasnt sure. Maby i have both? maby i have neather. im not sure. I have run scans such as mcafee, fix it antivirus, windows defender, windows malware tool, mcafee conflicker removal tool, and a few online based scans. Stuff has come up but doesnt seem to get removed ( stuff has come up on online norton scan, and windows once care). Mcafee catches a worm at start up every time, but i know it keeps infecting over and over. i think i got something that opened up backdoors for further infection. when i first noticed the MS 2009 popup i was like crap, because we had talked about that in my networking class and such, so i new about it, so i instantly killed the power to my laptop. havent seen it sence, then i started in safe mode and did a disk cleanup and antivirus scans. haven't seen that sence, so maby i got rid of that. This virus also jumps to my flashdrive, and when its deleted from there, 10 seconds later it reappears, and the .inf gets picked up and deleted by mcafee, but the .exe stays there, and if i delete the exe the inf comes back and so on and so forth. i also notice tons of stuff that shouldnt be in my startup that is that cant be turned off. its obvious there the virus or what not...

help please. OS = win xp Media center 2005. everything is updated. idk how i even got this since everything is current and up to date.

i will list bellow what some scans have picked up :

Norton online scan: C:\program Files\Microsoft Common\svchost.exe is infected with Suspicious.MH690 i believe thats what the message was. i also believe it wasn't deleted by the scan.

on start up Mcafee detects this : W32\Autorun.worm.gen(virus)W32/Autorun.worm.gen(virus)
Location: C:\Documents and settings\Owner.Laptop\Local Settings\Temp\rdl1.tmp

and this is what it picks up on my flashdrive: J:\autorun.inf ( generic something then trojan)
location: J:\autorun.inf

then i did a windows one care online scan and it got this :

3 severe issues found:
Trojan:win32/Hiloti.gen!A 5 items detected
TrojanDropper:win32/Opachki.A 14 items detected
VirTool:win32/CeeInject.gen!A 2 items detected
1 High issue found
TrojanDownloader:win32/Renos.HL

i think it removed some, but it said 3 items could not be deleted ?


and my external HDD ( that has about a 85% backup of my system was plugged in at the time, and it could be infected, so i really cant plug it in to check, because if it isnt i risk infection) so how do i remove this stuff? I really dont want to format, and if i had to, my data on my external HDD may just infect the formatted pc again. Help please

BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 08 April 2009 - 01:21 PM

Hi,

Please connect all the (possible) infected USB-devices to your computer.
Then, follow the next steps:

1. Download Flash Disinfector to your desktop.
Run it and follow the steps that are given.

2. Reboot your computer.

3. Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

#3 JJ133169

JJ133169
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  

Posted 08 April 2009 - 08:14 PM

the flashdrive scanner thing didnt work.. but heres the logs

i ran it twice a few times.

1:

Malwarebytes' Anti-Malware 1.36
Database version: 1952
Windows 5.1.2600 Service Pack 3

4/8/2009 6:50:23 PM
mbam-log-2009-04-08 (18-50-13).txt

Scan type: Full Scan (C:\|D:\|J:\|)
Objects scanned: 169088
Time elapsed: 39 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\djehucejaqa (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: k3mspsen.dll -> No action taken.

Folders Infected:
C:\Program Files\FBrowserAdvisor (Trojan.FBrowsingAdvisor) -> No action taken.
C:\Program Files\Microsoft Common (Trojan.Agent) -> No action taken.

Files Infected:
C:\WINDOWS\k3mspsen.dll (Trojan.Vundo.H) -> No action taken.
C:\Program Files\Microsoft Common\svchost.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\ivopanuv.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Owner.Laptop\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> No action taken.


for some reason i think i have 2 logs for the first scan :thumbsup: Sorry

Malwarebytes' Anti-Malware 1.36
Database version: 1952
Windows 5.1.2600 Service Pack 3

4/8/2009 6:50:31 PM
mbam-log-2009-04-08 (18-50-31).txt

Scan type: Full Scan (C:\|D:\|J:\|)
Objects scanned: 169088
Time elapsed: 39 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\djehucejaqa (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: k3mspsen.dll -> Delete on reboot.

Folders Infected:
C:\Program Files\FBrowserAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\k3mspsen.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\Microsoft Common\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\ivopanuv.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Owner.Laptop\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.


and then the second scan :


Malwarebytes' Anti-Malware 1.36
Database version: 1952
Windows 5.1.2600 Service Pack 3

4/8/2009 8:01:38 PM
mbam-log-2009-04-08 (20-01-38).txt

Scan type: Full Scan (C:\|D:\|J:\|)
Objects scanned: 168918
Time elapsed: 39 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\djehucejaqa (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

what should i do now? by the way im in safemode.. regular mode as of before the scan..was not working so hot. and the flashdrive is STILL infected... ?

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 09 April 2009 - 12:36 AM

-- See below --

Edited by superbird, 09 April 2009 - 09:12 AM.


#5 JJ133169

JJ133169
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 09 April 2009 - 08:23 AM

Thanks.

should i do all that in the systems built in administer account? or should i use my account? i have to be in safe mode by the way.
and even in safe mode...when i delete the file of the flash drive it comes back...

#6 JJ133169

JJ133169
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  

Posted 09 April 2009 - 08:49 AM

when i go to the next forum ( im at school, ill run and post the program when im at home) should i screen shot my windows start up from ms config? would that be helpful?

#7 JJ133169

JJ133169
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 09 April 2009 - 08:56 AM

One more question. if i run malwarebytes in safemode ( because regular mode is very unstable) and it has me reboot to clean or delete something, should i restart and let it boot in to regular mode, or boot it back in to safe mode?

#8 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 09 April 2009 - 09:08 AM

-- See below --

Edited by superbird, 09 April 2009 - 09:12 AM.


#9 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 09 April 2009 - 09:11 AM

Hi,

Ok. I heard I may continue, so please. Don't do anything I advised above (I will delete it in a minute)

Do this instead:

Make a new, full scan, with MBAM, and post the logfile in your next reply.
:thumbsup:

#10 JJ133169

JJ133169
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 09 April 2009 - 04:31 PM

alright. i will start it now. i take it its alright that im in the computers built in administrator account in safe mode.

#11 JJ133169

JJ133169
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 09 April 2009 - 05:13 PM

Windows 5.1.2600 Service Pack 3

4/9/2009 5:09:41 PM
mbam-log-2009-04-09 (17-09-41).txt

Scan type: Full Scan (C:\|D:\|J:\|)
Objects scanned: 169177
Time elapsed: 37 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Should i boot in to normal mode? or should i run some more scans from safe mode? the ones i had run before? i deleted the .exe off my flashdrive, and from what i can see it hasnt come back yet. so i think thats a good sign.

#12 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 10 April 2009 - 05:36 AM

Hi,

You can boot in normal mode.
Then, do this:

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
If you need a tutorial, see here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users