Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected or just alittle bugged out


  • Please log in to reply
9 replies to this topic

#1 CalusBlade

CalusBlade

  • Members
  • 538 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 21 June 2009 - 07:41 PM

I was using my laptop and my brother accidentally kicked the plug out. I didn't have my battery in so it just turned off on the spot. before I was downloading a movie for megabytes.com. I also downloaded about 800 MB (it may be more since I'm using a download program by the company, its the the maplestory download application and avira_antivir_personal). Note that I was in my grandparents using wireless. I maybe be just the conversion back to dial up that makes my computer slow.

This is the mal-ware scan and note I was also degraging my computer while scanning.

Malwarebytes' Anti-Malware 1.37
Database version: 2291
Windows 5.1.2600 Service Pack 3

6/21/2009 8:21:24 PM
mbam-log-2009-06-21 (20-21-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 112694
Time elapsed: 1 hour(s), 18 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

----

Just virus scanned and found a trojan.hanambot

---

One more thing, can anyone give me a bunch of programs just to prevent it. I tend to download each time I go to my grandparents and as of now this is my only portable computer. I am willing to pay for the programs. I know mal-ware is one, any others?

Edited by CalusBlade, 21 June 2009 - 07:49 PM.


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,595 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:11 PM

Posted 22 June 2009 - 09:49 AM

Your Malwarebytes Anti-Malware log indicates you are using an older version of MBAM (v1.37) with with an outdated database. Please download and install the most current version (1.38) from here.
You may have to reboot after updating in order to overwrite any "in use" protection module files.

Update the database through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install.Your database shows 2291. Last I checked it was 2321.

Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating through the program's interface or have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, is to do the following: Install MBAM on a clean computer, launch the program and update through MBAM's interface. Copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware
Then perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 CalusBlade

CalusBlade
  • Topic Starter

  • Members
  • 538 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 22 June 2009 - 01:21 PM

Malwarebytes' Anti-Malware 1.38
Database version: 2323
Windows 5.1.2600 Service Pack 3

6/22/2009 2:21:01 PM
mbam-log-2009-06-22 (14-21-01).txt

Scan type: Quick Scan
Objects scanned: 84581
Time elapsed: 6 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



I scan with Norton and found trojan.hanambot cagain when i scanned in safe mode. Does it matter if I just shut down instead of reset? How do I know its gone?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,595 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:11 PM

Posted 22 June 2009 - 02:03 PM

Did Norton provide a specific file name associated with trojan.hanambot and if so, where is it located (full file path) at on your system?

Did you follow Norton's removal instructions for this threat?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 CalusBlade

CalusBlade
  • Topic Starter

  • Members
  • 538 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 22 June 2009 - 02:48 PM

At first I just scanned and shut down. Today i scanned and reset. The scan was in safe mode this time. I believe it was in "C:/volume system information\_restore-" that's all I remember, the rest is numbers. Yesterday when I checked how to remove all it told me was to run in safe mode scan and delete. As doe the regedit thing it said to do. It goes up to "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion" but none of those files it said to delete are there.

As of now I am running a normal full scan again.

-----

The full scan finish and found nothing. I guess its gone, just to be sure I will scan once more tomorrow.

Edited by CalusBlade, 22 June 2009 - 03:20 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,595 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:11 PM

Posted 22 June 2009 - 09:59 PM

The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan was in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by creating backups (snapshots saved as restore points) of vital system configurations and files. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. The SVI folder is protected by permissions that only allow the system to have access and is hidden by default on the root of every drive, partition or volume including most external drives, and some USB flash drives. For more detailed information, read System Restore Overview and How it works and How antivirus software and System Restore work together.

System Restore is enabled by default and will back up the good as well as malicious files, so when malware is present on the system it gets included in restore points as an A00***** file. When you scan your system with anti-virus or anti-malware tools, you may receive an alert that a malicious file was detected in the SVI folder (System Restore points) and moved into quarantine. When a security program quarantines a file, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat. Thereafter, you can delete it at any time.

If your anti-virus or anti-malware tool cannot move the files to quarantine, they sometimes can reinfect your system if you accidentally use an old restore point. In order to avoid reinfection and remove these file(s) if your security tools cannot remove them, the easiest thing to do is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.
Vista users can refer to these links: Create a New Restore Point in Vista and Disk Cleanup in Vista.

If your anti-virus or anti-malware tool was able to move the file(s), I still recommend creating a new restore point and using disk cleanup as the last step after removing malware from an infected computer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 CalusBlade

CalusBlade
  • Topic Starter

  • Members
  • 538 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 22 June 2009 - 11:05 PM

I am kinda of confused. I understand that system restore is one way of protecting the computer and back tracking back to a safer point. Are you just saying that the Norton found something that wasn't really a virus, just a system restore file?

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,595 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:11 PM

Posted 23 June 2009 - 06:28 AM

I am saying that System Restore will back up the good as well as malicious files, so when malware is present on the system it gets included in restore points as an A00***** file.

You said trojan.hanambot was detected by Norton on your machine and then again in C:/volume system information\_restore. By design System Restore runs in the background and when monitoring is enabled, will automatically create a new restore point every 24 hours (system checkpoints). In the process of doing that it backed up the malicious file into a restore point. If your anti-virus or anti-malware tool cannot move a backed up malicious file into quarantine, the file sometimes can reinfect your system if you accidentally use an old restore point.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 CalusBlade

CalusBlade
  • Topic Starter

  • Members
  • 538 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 23 June 2009 - 11:18 PM

Alright thanks. The Virus didn't come back and I set a system restore

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,595 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:11 PM

Posted 24 June 2009 - 07:51 AM

You're welcome.

Tips to protect yourself against malware and reduce the potential for re-infection:Keep Windows and Internet Explorer current with all critical updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. If you're not sure how to do this, see Microsoft Update helps keep your computer current.

Avoid gaming sites, porn sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:Many security experts recommend you disable Autorun asap as a method of prevention. Microsoft recommends doing the same.

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...

Microsoft Security Advisory (967940): Update for Windows Autorun
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users