Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple symptoms reoccur and resist antispyware


  • Please log in to reply
11 replies to this topic

#1 dbucci

dbucci

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 12 May 2009 - 05:03 PM

The problem began about a week ago, and I suspect it may have been a result of something I downloaded on limewire. The symptoms don't occur all the time--rebooting and running antispyware helps for short periods of time, but inevitably, they return. Here's what I've experienced:

When clicking search results in Google, I am redirected to other ad pages.
Sometimes my web browser or internet-dependent programs (like updates) won't recognize that I am connected to the internet.
MalwareBytes frequently fails.
My computer reboots without my consent and, upon restart, sometimes a browser window will open to a page from microsoft informing me that I experienced a fatal bluescreen error.
My flash drive is recognized insofar as the tray icon appears to allow me to safely eject it, and I have safely ejected it, but I can not open it--it doesn't show up in My Computer at all.
AOL email will frequently not work.
Sometimes when I'm in hotmail and I click one of the buttons like "delete" or "inbox" a new tab opens up with an ad page, and I can't get hotmail to respond--clicking delete again will open a tab again.

I've tried numerous free antispyware programs:
AVG Antivirus
MalawareBytes
Spyware Doctor
Adaware SE

I've also tried specific fixes: Vundofix and Autorun fix

I'm operating Windows XP Pro 2002 with servicepack 3 installed

Any help would be greatly appreciated!

Edited by The weatherman, 12 May 2009 - 05:27 PM.
Moved to a more appropriate forum. TW


BC AdBot (Login to Remove)

 


#2 RavenPhoenix

RavenPhoenix

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere, Nowhere
  • Local time:01:19 PM

Posted 12 May 2009 - 05:42 PM

Hello and welcome to BC!
Please run ESET ONLINE SCANNER and post your log here please. Be sure remove infections is checked.
Forum Skulker. Preventing Comp Nukes everywhere. :-)

#3 dbucci

dbucci
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 12 May 2009 - 06:39 PM

Well, it looks like I have a new symptom. Internet explorer doesn't work at all. I don't know how long this has been the case because I've been using firefox, but when I tried ESET and learned that it wasn't compatible with firefox I tried explorer and found that it's not working at all. I get the "this page can not be displayed" message.

#4 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:19 PM

Posted 12 May 2009 - 06:48 PM

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it.

  • Before saving any of your security programs, rename them first. For example, before you save Malwarebytes', rename it to something like MBblah.exe and then click on Save and save it to your desktop. Same thing after you install it. Before running it, rename the main executable file first

    Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

    If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run..
  • Another work around is by not using the mouse to install it, Just use the arrow keys, tab, and enter keys.

~ Courtesy of boopme

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here or here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Please include the following in your reply:
MBAM log

#5 dbucci

dbucci
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 12 May 2009 - 07:06 PM

Here's the log. I had run this program an hour before finding this website. I remember it finding several instances of autorun and a downloader, among other stuff. I dunno if this helps much since it's clean.

Malwarebytes' Anti-Malware 1.36
Database version: 2110
Windows 5.1.2600 Service Pack 3

5/12/2009 8:03:55 PM
mbam-log-2009-05-12 (20-03-55).txt

Scan type: Quick Scan
Objects scanned: 82797
Time elapsed: 4 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:19 PM

Posted 12 May 2009 - 07:13 PM

Could you find the older log and post that one please?

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program.
  • Cancel any prompts to download the latest CureIt version and click Start.
  • At the prompt to "Start scan now", click Ok. Allow the setup.exe/driver to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to download the Full version Free Trial, just ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)


#7 dbucci

dbucci
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 13 May 2009 - 06:26 AM

I can't be sure if this log is from before or after I was infected, but it's the only old one from MalwareBytes that I hadn't deleted yet. After that you'll see a posted log from Dr WebCureIt.

Malwarebytes' Anti-Malware 1.36
Database version: 2059
Windows 5.1.2600 Service Pack 3

4/29/2009 4:23:03 PM
mbam-log-2009-04-29 (16-23-03).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 170148
Time elapsed: 31 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 33
Registry Values Infected: 11
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\autochk.dll (Worm.Autorun) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\ketahope.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\SYSTEM32\gerogije.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7e824160-f2a9-4254-96b8-5c18269481c8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7e824160-f2a9-4254-96b8-5c18269481c8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\icoou.icooprotocol (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\icoou.icooprotocol.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{86fe362e-74fa-4f71-8b69-b94d28880628} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a3fdd654-a057-4971-9844-4ed8e67dbbb8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{10e42047-deb9-4535-a118-b3f6ec39b807} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7c559105-9ecf-42b8-b3f7-832e75edd959} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227d9c-0efe-4f8a-aa55-30386a3f5686} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{deceaaa2-370a-49bb-9362-68c3a58ddc62} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
KHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prnet (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\31151a59 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm322629c5 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nisidasika (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagnostic manager (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prnet (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\gerogije.dll -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Damien\Application Data\pidle (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\ketahope.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\epohatek.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\SYSTEM32\gerogije.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\autochk.dll (Worm.Autorun) -> Delete on reboot.
C:\Documents and Settings\Damien\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Documents and Settings\Default User\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\config\systemprofile\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\msb.dll (Worm.Autorun) -> Delete on reboot.
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Documents and Settings\Damien\Local Settings\Temp\sewrancxmo.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Damien\Local Settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Damien\Local Settings\Temp\rasesnet.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\p2hhr.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Damien\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Damien\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\TEMP\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\lmppcsetup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


Now the one from Dr. Web CureIt

Process.exe;C:\WINDOWS\SYSTEM32;Tool.Prockill;Deleted.;
ovfsthosivqphmavorpvjdjxxrhwijvwgsplpq.dll;C:\WINDOWS\SYSTEM32;BackDoor.Tdss.115;Deleted.;
hands up ottawan - greatest hits.mp3;C:\Documents and Settings\Damien\My Documents\My Music\iTunes\iTunes Music\New Songs;Trojan.WMALoader;Cured.;
i feel good james brown.mp3;C:\Documents and Settings\Damien\My Documents\My Music\iTunes\iTunes Music\New Songs;Trojan.WMALoader;Cured.;
my sharona CD quality.mp3;C:\Documents and Settings\Damien\My Documents\My Music\iTunes\iTunes Music\New Songs;Trojan.WMALoader;Cured.;
saturday night earth wind fire - greatest hits.mp3;C:\Documents and Settings\Damien\My Documents\My Music\iTunes\iTunes Music\New Songs;Trojan.WMALoader;Cured.;
psexec.cfexe;C:\ComboFix;Program.PsExec.171;Deleted.;
hands up ottawan - greatest hits.mp3;F:\Music\New Popular Songs;Trojan.WMALoader;Cured.;
my sharona CD quality.mp3;F:\Music\New Popular Songs;Trojan.WMALoader;Cured.;
saturday night earth wind fire - greatest hits.mp3;F:\Music\New Popular Songs;Trojan.WMALoader;Cured.;

#8 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:19 PM

Posted 13 May 2009 - 06:46 AM

Are you still experiencing problems?

Please update MBAM. If you cannot update it automatically through the program, you may download the definitions from here and just double click mbam-rules.exe to install them.

After you have updated MBAM, please do a full scan and post the log.

I also need to warn you that:

These items are part of a very nasty backdoor trojan.

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

? "When should I re-format? How should I reinstall?"
? "Help: I Got Hacked. Now What Do I Do?"
? "Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

Let me know how you wish to proceed.

Edited by xblindx, 13 May 2009 - 06:48 AM.


#9 dbucci

dbucci
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 13 May 2009 - 02:56 PM

Internet explorer still won't work and MalwareBytes update won't either--I used the link you provided to install the update the first time, but I also did it again--did you see something the the log to suggest that the update didn't work? I'm scanning my computer again right now. I haven't experienced any trouble navigating, but then again, I haven't been on it much.

I'm definitely willing to reformat, but I have a few questions:
I'm not sure if I have the OS discs that I need, and I planned to buy a new computer at the end of June/beginning of July anyway. If I can't find the OS discs, is there any reason I can't just keep running antispyware programs as a stopgap measure until I buy the new computer?
If I do find the OS discs, then I'll go ahead with the reformat, and here's my other question:
Is it safe to burn files to a cd or email them to myself to put on my new computer? I'm basically only concerned with songs, movies and word documents. Are any/all of these safe to move from an infected computer to a clean one?

Edited by dbucci, 13 May 2009 - 02:57 PM.


#10 dbucci

dbucci
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 13 May 2009 - 05:38 PM

Also, here's the latests MBAM log:

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Damien\DoctorWeb\Quarantine\ovfsthosivqphmavorpvjdjxxrhwijvwgsplpq.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Damien\DoctorWeb\Quarantine\ovfsthosivqphmavorpvjdjxxrhwijvwgsplp0.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ovfsthjuqyprmwtinfxeqaqhbvstbctxjtylqi.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ovfsthhjqjgowgeuwoldvorcilllixwycwftai.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ovfsthguyvssmaysfyrtevndomrutvjoegnbya.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ovfsthqspfcoxnlewbkvxdjmecrcntdcyymckl.dat (Trojan.Agent) -> Quarantined and deleted successfully.

#11 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:19 PM

Posted 13 May 2009 - 06:08 PM

TDSS is a really nasty infection, that's what I'm going to tell you first. We would likely make little headway here.


did you see something the the log to suggest that the update didn't work?

The definitions are updated multiple times a day so I always suggest an update before re-scanning just in case.

I'm not sure if I have the OS discs that I need, and I planned to buy a new computer at the end of June/beginning of July anyway. If I can't find the OS discs, is there any reason I can't just keep running antispyware programs as a stopgap measure until I buy the new computer?

With root-kits and backdoors, there is really no way to see if the infection is completely gone, therefore I cannot say that doing that would be safe. Also, TDSS (one of the infections you have), is a pretty nasty one and most likely won't be removed by the tools I am experienced with.

Is it safe to burn files to a cd or email them to myself to put on my new computer? I'm basically only concerned with songs, movies and word documents. Are any/all of these safe to move from an infected computer to a clean one?

You may want to read quietman7's post here regarding what is safe to backup from an infected machine.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:19 PM

Posted 13 May 2009 - 07:45 PM

Hello.

As per your question:

Sorry to butt in here, but I'm facing a possible reformat myself and was wondering if it's safe to backup my music--burning it to a couple of data DVDs. Is that any riskier than backing up documents?


As we say, there are 2 main guidelines I usually say:

1) Backup all your important data files, pictures, music, work files etc... and save it onto an external hard-drive or better burning it on to a CD. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages or any other web scripts should also be avoided.

Note: Some may want to be safe, wondering if their data files are infected or not; to make sure you should scan those files using an anti-virus scanner and/or an anti-malware/anti-spyware scanner making sure they are free from malware before transfering it to your new formatted computer. From what I have seen the results were clean, meaning they were not infected at all. Never wrong to double check however.

.mp3/music files shouldn't be able to infect your system as they are not an extension that can be executed and go around infecting systems but there are .mp3 files that are considered trojans, but I do not know what they can/have done. As long as you scan them with some scanners they should be able to tell you if they are infected or not. In most cases, they were all clean. Sometimes certain infections or security "holes" can cause trouble. Take a read here and here for additional information.

Regarding this specfic infection it does not do that, so I would say it would be safe to back up them up.

Hope that helps.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users