Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

(Virus detected) REG/TCPParams.A & BAT/Zapchast.AX


  • Please log in to reply
7 replies to this topic

#1 cosmo727

cosmo727

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 01 May 2009 - 02:22 PM

Hello smart computer people

My anti-virus detected these two viruses and quarantined them.

1) REG/TCPParams.A
2) BAT/Zapchast.AX

What is the best way to get rid of them. I haven't noticed anything strange yet. The firewall is blocking the first one. My operating system is XP Pro. Any help would be greatly appreciated.

Thanks
cosmo727

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:44 AM

Posted 02 May 2009 - 08:17 AM

Using one or both of the programs Super Antispyware or MalwareBytes AntiMalware should remove the malware.

Instructions and links to downloads are in the link below.
http://www.bleepingcomputer.com/forums/ind...t&p=1087935

Be sure to UPDATE the programs after downloading, installing and before running each scan.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 cosmo727

cosmo727
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 06 May 2009 - 09:44 AM

Sorry that it took so long to reply, been very busy lately. MalwareBytes AntiMalware seemed to do the trick!! Thank-you very much for the advice.

cosmo727

#4 buddy215

buddy215

  • Moderator
  • 13,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:44 AM

Posted 06 May 2009 - 09:56 AM

Please post the first log from MBAM and run another scan and post that log too, if anything was found.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 cosmo727

cosmo727
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 06 May 2009 - 12:08 PM

First scan:

Malwarebytes' Anti-Malware 1.36
Database version: 2082
Windows 5.1.2600 Service Pack 3

06/05/2009 9:22:10 AM
mbam-log-2009-05-06 (09-22-10).txt

Scan type: Quick Scan
Objects scanned: 83952
Time elapsed: 6 minute(s), 39 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\WINDOWS\system32\winreger.exe (Trojan.Dropper) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Manager System (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Windows Manager System (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\winreger.exe (Trojan.Dropper) -> Delete on reboot.


Second scan:

Malwarebytes' Anti-Malware 1.36
Database version: 2082
Windows 5.1.2600 Service Pack 3

06/05/2009 9:37:07 AM
mbam-log-2009-05-06 (09-37-07).txt

Scan type: Quick Scan
Objects scanned: 83535
Time elapsed: 6 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 cosmo727

cosmo727
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 06 May 2009 - 12:22 PM

Just as a note I used Super Antispyware first and scanned in safe mode as per the instructions. It detected some items but I was unable to retrieve the log after rebooting out of safe mode.

#7 buddy215

buddy215

  • Moderator
  • 13,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:44 AM

Posted 06 May 2009 - 01:38 PM

Whever a malware is labeled a "backdoor" such as the one in your log, you should consider your computer
completely compromised. Meaning that all passwords, financial info, (banking, PayPal, credit cards,etc) have
possibly been sent to the persons responsible for infecting your computer. Most professionals will advise to
wipe the HD, reformat and reinstall all software as the best way to repair and insure a backdoor to your computer
has not been left open. More info in link below.
http://www.dslreports.com/faq/10063

If you decide not to reinstall, you need to delete the existing "restore points" as some are infected. Deleting all is the
only option. Info on how to do that if needed is in the link below.
http://www.bleepingcomputer.com/tutorials/windows-xp-system-restore-guide/

Cleanup your temporary files and logs.
Double-click ATF-Cleaner.exe to run the program.
http://www.atribune.org/ccount/click.php?id=1
* Under Main "Select Files to Delete" choose: Select All.
* Click the Empty Selected button.
* If you use Firefox browser click Firefox at the top and choose: Select All
* Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
* If you use Opera browser click Opera at the top and choose: Select All
* Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
* Click Exit on the Main menu to close the program.

Use Secunia online scanner to check for missing security updates. http://secunia.com/vulnerability_scanning/online/
After updating Java (if you haven't done so already) go to Add/ Remove and remove ALL old Java programs.
IE browser, Adobe Reader, Adobel Flash and Java have all been exploited recently. Important to get the latest updates to avoid malware exploiting those programs.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 cosmo727

cosmo727
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 06 May 2009 - 07:14 PM

Thank-you very much for all your help. Looks like I have some work to do.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users