Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am i Infected? What do i do?


  • This topic is locked This topic is locked
17 replies to this topic

#1 TheSadness

TheSadness

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 20 May 2009 - 12:22 PM

Neeed help, anyone?

BTW. my other post. which is here <http://www.bleepingcomputer.com/forums/topic223876.html> is when i'm using my cousin's computer.
but now i'm using my own, so please disregard my other post.

Thanks!

Edited by TheSadness, 20 May 2009 - 12:29 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:09 AM

Posted 20 May 2009 - 12:31 PM

Hello and welcome please run these next. If you have Spybot installed temporarily disable it.
Next run ATF:
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Now run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 TheSadness

TheSadness
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 21 May 2009 - 01:30 AM

Downloaded required files.

somethings up, Avira identified ATF Cleaner as a Trojan Dropper. and Malware Bytes still doesn't update.

Any help?

Edited by TheSadness, 21 May 2009 - 01:36 AM.


#4 TheSadness

TheSadness
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 21 May 2009 - 01:45 AM

Ok, i let ATF Cleaner through Avira. Done Cleaning Temp files. But the MBAM still doesn't update.

BTW Avira detected a Trojan. TR/Crypt.XPACK. Gen Trojan. taqkae.dll. Now i'm really infected :|

what do i do?

Thanks!

Edited by TheSadness, 21 May 2009 - 04:08 AM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:09 AM

Posted 21 May 2009 - 06:21 PM

Ok, we'll do this first

Your HOSTS file may be infected. So let's replace it, reboot in Safe Mode with Networking.
Click on Start then Run and type: %windir%\system32\drivers\etc\
Delete the following file: C:\WINDOWS\system32\drivers\etc\hosts

While in safe mode, launch MBAM and try to update the definition database. DO NOT scan yet. Reboot normally, then perform a new Quick Scan and check all items found for removal. You must reboot normally after the scan to remove the malware.

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log.


Now SDFix
Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

Edited by boopme, 21 May 2009 - 06:30 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 TheSadness

TheSadness
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 22 May 2009 - 08:01 AM

when running into safe mode with networking. Computer restarts over and over again. What do i do?
really nervous right now.

tried updating MBAM normally and it worked. i dunno why it worked this time. so i will now do a quick scan.

Edited by TheSadness, 22 May 2009 - 08:05 AM.


#7 TheSadness

TheSadness
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 22 May 2009 - 08:16 AM

Here it is. Somethings up.
Malwarebytes' Anti-Malware 1.36
Database version: 2166
Windows 5.1.2600 Service Pack 3

5/22/2009 9:30:16 PM
mbam-log-2009-05-22 (21-30-16).txt

Scan type: Quick Scan
Objects scanned: 73665
Time elapsed: 2 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by TheSadness, 22 May 2009 - 08:35 AM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:09 AM

Posted 22 May 2009 - 08:20 AM

Avira detected a Trojan. TR/Crypt.XPACK. Gen Trojan. taqkae.dll.

Did it successfully remove the threat? If not, did it provide the location (file path) on your system?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 TheSadness

TheSadness
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 22 May 2009 - 08:37 AM

Avira detected a Trojan. TR/Crypt.XPACK. Gen Trojan. taqkae.dll.

Did it successfully remove the threat? If not, did it provide the location (file path) on your system?


Yes it did, moved to quarantined. it's folder is C:\WINDOWS\system32\
a question sir quietman7. does Avira affect internet speed?

Edited by TheSadness, 22 May 2009 - 08:38 AM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:09 AM

Posted 22 May 2009 - 08:53 AM

How is your computer running now? Are there any more reports/signs of infection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 TheSadness

TheSadness
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 22 May 2009 - 11:31 AM

Yes there are. Like the one of MBAM log. i dunno why but my internet slowed down a bit when i installed Avira.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:09 AM

Posted 22 May 2009 - 04:08 PM

Are you talking about this entry?

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully


If so, that is a registry key that can be:
1. Disabled by malware to prevent notification that your protection has been disabled
2. Disabled intentionally by the user.
3. Disabled by other security programs to prevent conflicts, duplicate warnings and allow them to have control.

For example, if you have McAfee Security Center or Norton Internet Security installed, they will disable announcements of Window Security Center in order to signal things by themselves. Other security programs like Spybot S&D will provide similar detections for these type of registry changes and ask you to allow or deny them.

This key controls the warning you get about your antivirus software (out of date, not installed .....). If the value is set to 1 you wont get any of these warnings and multiple malicious applications do this to prevent you from knowing that they have disabled your antivirus software. MBAM is re-enabling this function in your log

explanation by nosirrah

If a scan is showing these entries and there no other signs of infection, then it's likely another security program has disabled them. If that's the case, then having MBAM add each one to the Ignore list will prevent the detections from showing in future scans. If you are experiencing symptoms of malware, do not use other security programs and did not disable them yourself, then further investigation is warranted as there is no way to specifically tell how or by what something became disabled. MBAM only shows that it is disabled.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 TheSadness

TheSadness
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 22 May 2009 - 07:22 PM

erm, i think i was the one that disabled that one. :thumbsup: Thanks for the info, i thought it was something bad.


Avira detected a Trojan. TR/Crypt.XPACK. Gen Trojan. taqkae.dll.

Did it successfully remove the threat? If not, did it provide the location (file path) on your system?


Yes it did, moved to quarantined. it's folder is C:\WINDOWS\system32\
a question sir quietman7. does Avira affect internet speed?

What about this?

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:09 AM

Posted 22 May 2009 - 09:24 PM

Is your anti-virus set to automatically download updates? If so, it may be downloading in the background without you realizing it. When that occurs, the using the Internet can slow considerably depending upon your connection speed.

Choosing an anti-virus is a matter of personal preference, your technical ability and experience, features offered, the amount of resources utilized, how it may affect system performance and what will work best for your system. A particular anti-virus that works well for one person may not work as well for another. You may need to experiment and find the one most suitable for your use. There is no universal "one size fits all" solution that works for everyone.

Also, if your computer/browser seems to be slow, please refer to and try some of the suggestions provided in Slow Computer/Browser? Check here first; it may not be malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 TheSadness

TheSadness
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 23 May 2009 - 01:41 AM

well it does automatically download updates but it is during startup.

when running into safe mode with networking. Computer restarts over and over again. What do i do?
really nervous right now.

tried updating MBAM normally and it worked. i dunno why it worked this time. so i will now do a quick scan.


what about this one. the one i replied to boopme. i really want to know why.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users