Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan infection?


  • Please log in to reply
6 replies to this topic

#1 LORI_D

LORI_D

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 11 April 2009 - 10:53 AM

Hi, yesterday my computer apparently got infected with several trojans and I've gone crazy trying to remove them. They are detected by McAfee in sets of two or three. They are always the same ones: Generic!Artemis, Generic rootkit.w, and Backdoor-AWQ.b. The McAfee warning pop-ups will sometimes occur every five minutes, and sometimes every twenty to thirty. They only occur when I use Firefox or Internet Explorer. The trojans also appear to be in different locations, temp files and system files, or even in the McAfee agent itself. I've run Malwarebytes and it finds and removes them, but they only come back after reboot. Likewise, McAfee states it removes them, but they only come back. I am afraid to use my computer for any important stuff like online banking, and have already changed my passwords through my husband's computer. Now I just want to get rid of these viruses!! Can anyone help me? Thank you.

Some more info: When I run Malwarebytes and I do the shutdown, a Windows alert pops up for Lori.exe that says: The application failed to initialize because the windows station is shutting down." I've never seen this before. Also, the Generic Rootkit appears to be in my drivers folder, but the other two always appear to be in my Local Settings, in a temp file.

Lori

Edited by LORI_D, 11 April 2009 - 12:19 PM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:57 AM

Posted 11 April 2009 - 12:26 PM

Please download and run Processexplorer


http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here



and please post the last MBAM log

Please download Malwarebytes Anti-Malware (v1.36) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Chewy

No. Try not. Do... or do not. There is no try.

#3 LORI_D

LORI_D
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 11 April 2009 - 12:39 PM

Here is the ProcessExplorer log:

Process PID CPU Description Company Name
System Idle Process 0 90.44
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4 1.47
smss.exe 824 Windows NT Session Manager Microsoft Corporation
csrss.exe 876 Client Server Runtime Process Microsoft Corporation
winlogon.exe 904 Windows NT Logon Application Microsoft Corporation
services.exe 948 1.47 Services and Controller app Microsoft Corporation
svchost.exe 1108 Generic Host Process for Win32 Services Microsoft Corporation
mcagent.exe 2900 McAfee Integrated Security Platform McAfee, Inc.
svchost.exe 4276 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 4880 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 5680 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 6076 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 5312 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 3652 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 4516 Generic Host Process for Win32 Services Microsoft Corporation
igfxsrvc.exe 2220 igfxsrvc Module Intel Corporation
wmiprvse.exe 3716 WMI Microsoft Corporation
BTSTAC~1.EXE 2544 Bluetooth Stack COM Server Broadcom Corporation.
svchost.exe 1188 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1228 Generic Host Process for Win32 Services Microsoft Corporation
wuauclt.exe 6120 Windows Update Automatic Updates Microsoft Corporation
btwdins.exe 1252 Bluetooth Support Server Broadcom Corporation.
svchost.exe 1328 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1404 Generic Host Process for Win32 Services Microsoft Corporation
WLTRYSVC.EXE 1540
BCMWLTRY.EXE 1592 Dell Wireless WLAN Card Wireless Network Controller Dell Inc.
spoolsv.exe 1656 Spooler SubSystem App Microsoft Corporation
PhotoshopElementsFileAgent.exe 1772
hnm_svc.exe 1840 Advanced Networking Service Application SingleClick Systems
PIFSvc.exe 1880 LiveUpdate Notice Service Symantec Corporation
McSACore.exe 1908 SiteAdvisor McAfee, Inc.
mcmscsvc.exe 1932 McAfee Services McAfee, Inc.
McNASvc.exe 1976 McAfee Network Agent McAfee, Inc.
McProxy.exe 2008 McAfee Proxy Service Module McAfee, Inc.
Mcshield.exe 188 On-Access Scanner service McAfee, Inc.
MpfSrv.exe 384 McAfee Personal Firewall Service McAfee, Inc.
sprtsvc.exe 592 SupportSoft Agent Service SupportSoft, Inc.
stacsv.exe 624 STacSV Module SigmaTel, Inc.
svchost.exe 812 Generic Host Process for Win32 Services Microsoft Corporation
wdfmgr.exe 856 Windows User Mode Driver Manager Microsoft Corporation
alg.exe 2788 Application Layer Gateway Service Microsoft Corporation
mcsysmon.exe 2300 McAfee SystemGuards Service McAfee, Inc.
lsass.exe 960 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 2920 0.74 Windows Explorer Microsoft Corporation
Apoint.exe 3816 Alps Pointing-device Driver Alps Electric Co., Ltd.
ApMsgFwd.exe 2056 ApMsgFwd Alps Electric Co., Ltd.
hidfind.exe 3140 Alps Pointing-device Driver Alps Electric Co., Ltd.
hkcmd.exe 1832 hkcmd Module Intel Corporation
igfxpers.exe 2180 persistence Module Intel Corporation
jusched.exe 2148 Java™ Platform SE binary Sun Microsystems, Inc.
jucheck.exe 5256 Java™ Update Checker Sun Microsystems, Inc.
quickset.exe 2064 QuickSet Dell Inc.
WLTRAY.EXE 2144 Dell Wireless WLAN Card Wireless Network Tray Applet Dell Inc.
stsystra.exe 1600 Sigmatel Audio system tray application SigmaTel, Inc.
KADxMain.exe 2448 IntelliSonic Systray Control (KADxMain) Knowles Acoustics
GoogleDesktop.exe 3052 Google Desktop Google
PCMService.exe 3272 CyberLink PowerCinema Resident Program CyberLink Corp.
pptd40nt.exe 3704 PaperPort Print to Desktop for NT ScanSoft, Inc.
BrMfcWnd.exe 3984 Brother Status Monitor MFC Application
sprtcmd.exe 4040 SupportSoft, Inc.
PIFSvc.exe 280 LiveUpdate Notice Service Symantec Corporation
apdproxy.exe 364 Adobe Photoshop Album Starter Edition 3.2 component Adobe Systems Incorporated
GrooveMonitor.exe 772 GrooveMonitor Utility Microsoft Corporation
PTAgnt.exe 2668 Dell Automated PC TuneUp Gteko Ltd.
HOMERunner.exe 3436 System Tray application for TomTom HOME TomTom
GoogleToolbarNotifier.exe 3480 GoogleToolbarNotifier Google Inc.
ctfmon.exe 3948 CTF Loader Microsoft Corporation
BTTray.exe 3256 Bluetooth Tray Application Broadcom Corporation.
CRSSupervisor.exe 724 Craft ROBO Status Supervisor Graphtec Corporation
ezi_hnm2.exe 3924 Advanced Networking Application SingleClick Systems
DLG.exe 2196 Digital Line Detection Avanquest Software
WZQKPICK.EXE 2732 WinZip Executable WinZip Computing, S.L.
WINWORD.EXE 2848 Microsoft Office Word Microsoft Corporation
MySurveyMessenger.exe 3116 MySurvey Messenger MFC Application
firefox.exe 5708 1.47 Firefox Mozilla Corporation
procexp.exe 5324 2.21 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
ApntEx.exe 3092 Alps Pointing-device Driver for Windows NT/2000/XP/Vista Alps Electric Co., Ltd.
BrccMCtl.exe 508 Control Center 3 Main Program Brother Industries, Ltd.
Ymsgr_tray.exe 4056 Yahoo! Messenger Tray Yahoo! Inc.
soffice.exe 3400 OpenOffice.org 2.4 OpenOffice.org
soffice.bin 3664 OpenOffice.org 2.4 OpenOffice.org
Lori.exe 3148 1.45
Lori.exe 2084 2.21

#4 LORI_D

LORI_D
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 11 April 2009 - 12:46 PM

Here is what I got from Malwarebytes:

Malwarebytes' Anti-Malware 1.36
Database version: 1967
Windows 5.1.2600 Service Pack 3

4/11/2009 12:45:59 PM
mbam-log-2009-04-11 (12-45-59).txt

Scan type: Quick Scan
Objects scanned: 90139
Time elapsed: 4 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amd64si (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati64si (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ksi32sk (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\port135sik (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\securentm (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acpi32 (Rootkit.Spamtool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i386si (Rootkit.Spamtool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\systemntmi (Rootkit.Spamtool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsik (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fips32cup (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antispy (Rogue.IEAntiVirus) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Lori\udltcksbjryhpxgovemud.exe (Rogue.IEAntiVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lori\Local Settings\Temp\BN88.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lori\Local Settings\Temp\BN8A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lori\Local Settings\Temp\BN91.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lori\Local Settings\Temp\BNA7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lori\Local Settings\Temp\BNAB.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lori\Local Settings\Temp\BNAC.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lori\Local Settings\Temp\BNAD.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lori\Local Settings\Temp\BNBB.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lori\Local Settings\Temp\BNC4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lori\Local Settings\Temp\BNC8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lori\Local Settings\Temp\BNCA.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lori\Local Settings\Temp\BNDD.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:57 AM

Posted 11 April 2009 - 12:50 PM

rightclick on both lori's, kill process

update and run a quick scan with MBAM
Chewy

No. Try not. Do... or do not. There is no try.

#6 LORI_D

LORI_D
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 11 April 2009 - 12:53 PM

It doesn't let me. When I try I get a message "Error opening process:the parameter is incorrect."

#7 LORI_D

LORI_D
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 11 April 2009 - 01:21 PM

Ok, I found a way to kill the processes. I noticed in the properties that the Lori.exe file was created the day I started having problems, so I just deleted the file. After I ran Malwarebytes again there are no infections. I rebooted my computer and so far so good. Thanks so much!!

Edited by LORI_D, 11 April 2009 - 01:23 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users