Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infosteal


  • Please log in to reply
8 replies to this topic

#1 Scintie

Scintie

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 22 June 2009 - 09:17 AM

The other day norton 360 popped up with a PC Security at Risk Infostealer could not be automatically resolved.

Then norton wouldn't even let me run a virus scan, kept saying there was one running already when there wasnt.

I ran avast and it just gave me some Disc C: Boot Record unable to scan no more data is available Also did that for Disc D: and Disc 0 Master Boot Record

I'm ran malwarebytes' anti-malware
For the sake of keeping things short and not having to open another pastebin window
(gah ok still too long pastebin it is)
http://pastebin.com/d23b30518

and I ran hijackthis
http://pastebin.com/m9e4fefe

Someone in the IRC channel told me to post here before going to the hjt section.
This computer is basically brand new, less then 2 months old and my mom kept putting off burning the recovery disc, and what do you know..its now infected

New to this getting help stuff, heres my specs from dxdiag if they are needed.
Operating System: Windows XP Home Edition (5.1, Build 2600) Service Pack 3 (2600.xpsp_sp3_gdr.090206-1234)Language: English (Regional Setting: English)System Manufacturer: eMachinesSystem Model: EL1200-06wBIOS: )Phoenix - Award WorkstationBIOS v6.00PGProcessor: AMD Athlon(tm) Processor 2650e,  MMX,  3DNow, ~1.6GHzMemory: 894MB RAMPage File: 631MB used, 3333MB availableWindows Dir: C:\WINDOWSDirectX Version: DirectX 9.0c (4.09.0000.0904)DX Setup Parameters: Not foundDxDiag Version: 5.03.2600.5512 32bit Unicode

A little more probably "useless" info, but just incase.
My hdd is divided up between C and D, 60 gig in each (came like that) and my dads friend told us not to partition it. So I have been installing my stuff on C: and my mom has been installing games from discs on D. Though i told her it was probably not a great idea she did it anyway. I filled the C drive just about full then deleted like 20 gigs of stuff and it wont let me defrag either drives, nor will it let me do chkdsk. (dont know the exact errors right now, if that is needed for anything let me know and ill get them)

Edited by Scintie, 22 June 2009 - 09:31 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:03 PM

Posted 22 June 2009 - 09:41 AM

Yes it would be helpful for you to post an error messages.

Please download F-Secure Easy Clean and save the file to your desktop.
Be sure to read the Frequently Asked Questions before performing a scan.
  • Double-click on fseasyclean.exe to launch the program.
  • Read the license agreement and click Accept.
  • Click Start to begin the scan and cleaning.
  • Please be patient as the scan may take a while to complete.
  • If a rootkit is detected, Easy Clean will require you to restart the computer in order to complete the removal process.
  • Once the computer restarts, Easy Clean will launch automatically and continue with disinfection.
  • When finished it will show the results of what was found and removed.
  • Exit Easy Clean when done.
Now rescan again with Malwarebytes Anti-Malware but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Your database shows 2297. Last I checked it was 2321.

If you cannot update through the program's interface and have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, be aware that mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating, is to install MBAM on a clean computer, launch the program, update through MBAM's interface, copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware
NOTE: You indicated you are using Norton 360 and avast.

Using more than one anti-virus program is not advisable. The primary concern with doing so is due to conflicts that can arise when they are running in real-time mode simultaneously and issues with Windows resource management. Even when one of them is disabled for use as a stand-alone scanner, it can affect the other. Anti-virus software components insert themselves into the operating systems core and using more than one can cause instability, crash your computer, slow performance and waste system resources. When actively running in the background while connected to the Internet, they both may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

Each anti-virus may interpret the activity of the other as malicious behavior and there is a greater chance of them alerting you to a "False Positive". If one finds a virus or a suspicious file and then the other also finds the same, both programs will be competing over exclusive rights on dealing with that virus or suspicious file. Each anti-virus may attempt to remove the offending file and quarantine it at the same time resulting in a resource management issue as to which program gets permission to act first. If one anit-virus finds and quarantines the file before the other one does, then you encounter the problem of both wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a virus has been found when that is not the case.

Anti-virus scanners use virus definitions to check for malware and these can include a fragment of the virus code which may be recognized by other anti-virus programs as the virus itself. Because of this, most anti-virus programs encrypt their definitions so that they do not trigger a false alarm when scanned by other security programs. Other vendors do not encrypt their definitions and they can trigger false alarms when detected by the resident anti-virus.

Further, keep in mind that dual installation is not always possible because most of the newer anti-virus programs will detect the presence of others and may insist they be removed prior to download and installation of another. Nonetheless, to avoid these problems, use only one anti-virus solution. Deciding which one to remove is your choice. Be aware that you may lose your subscription to that anti-virus program's virus definitions once you uninstall that software.

Anti-virus vendors recommend that you install and run only one anti-virus program at a timeWhen necessary, you can always get another opinion by performing an Online Virus Scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Scintie

Scintie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 22 June 2009 - 09:54 AM

F-Secure says it found nothing.

Runing mbam again.
Successfully upgraded it.

The reason for the 2 virus scans is, norton wouldn't let me scan..I didnt know if it would effect it or not, thanks for the information.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:03 PM

Posted 22 June 2009 - 09:57 AM

The reason for the 2 virus scans is, norton wouldn't let me scan..I didnt know if it would effect it or not, thanks for the information.

Not a problem. Just be sure to remove one of them.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Scintie

Scintie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 22 June 2009 - 01:58 PM

Alright ran mbam again, told me to reboot so I did..and it didn't relaunch after I rebooted and my norton now says "protected" does that mean its cleared up or do I have more steps?

I take that back..now its saying its still there : [

Edited by Scintie, 22 June 2009 - 02:02 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:03 PM

Posted 22 June 2009 - 02:15 PM

Did Norton provide a specific file name associated with this threat and if so, where is it located (full file path) at on your system?

ran mbam again, told me to reboot so I did..and it didn't relaunch after I rebooted

Just to be clear, did you try to run MBAM again by clicking on it or were you expecting it to launch automatically?

Please download SmitfraudFix by S!Ri and save to your Desktop.
-- If you have downloaded SmitfraudFix previously, please delete that version and download it again as the tool is frequently updated!
  • Double-click smitfraudfix.exe to start the tool.
  • If using Windows Vista be sure to Run As Administrator
  • Select option #5 - Search and clean DNS Hijack by typing 5 and press "Enter".
  • After running SmitFraudFix, a text file named rapport.txt will have automatically been saved to the root of the system drive (typically C:\rapport.txt).
  • Please copy and paste the contents of that text file into your next reply.
IMPORTANT: Do NOT run any other options unless you are asked to do so!

-- If the tool fails to launch from the Desktop, please move smitfraudFix.exe to the root of the system drive (typically at C:\), and run it from there.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Scintie

Scintie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 22 June 2009 - 02:29 PM

Sorry to double post, but can infostealer pick up on screen keyboard?


Nope, no file path my mom thinks its a false positive though in the registry I found

000 REG_SZ infostealer


Yes i expected it to launch automatically, i'll retry it

Okay so my mom said it said something about global root
GLOBAL ROOT / SYSTEM ROOT / SYSTEM 32 / MSIVXXPETNPLSWSEBCCHQEDKIVPIODUMJBTXG.DLL
Ok. So comparing that to my log I guess its not a false positive

She said thats what It showed her as the file path but I cant find anything to do with that

Edited by Scintie, 22 June 2009 - 02:45 PM.


#8 Scintie

Scintie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 22 June 2009 - 02:49 PM

That smitfraud when I click on it a command prompt window flashes and it does nothing else.

Moved it to C drive too.
Malwarebytes' Anti-Malware 1.38
Database version: 2322
Windows 5.1.2600 Service Pack 3

6/22/2009 3:08:35 PM
mbam-log-2009-06-22 (15-08-32).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 209542
Time elapsed: 35 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\MSIVXxpetnplswsebcchqedkivpiodumjbtxg.dll (Spyware.Agent) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\MSIVXxpetnplswsebcchqedkivpiodumjbtxg.dll (Spyware.Agent) -> No action taken.
C:\WINDOWS\system32\MSIVXcount (Trojan.Agent) -> No action taken.

After I scanned again, it didnt delete anything at all.

Edited by Scintie, 22 June 2009 - 03:09 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:03 PM

Posted 22 June 2009 - 10:01 PM

Please download and scan with Dr.Web CureIt - alternate download link.
Follow these instructions for performing a scan in "safe mode".
If you cannot boot into safe mode, then perform your scan in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply. If you can't find the log, try to write down what was detected/removed before exiting Dr.WebCureIt so you can provide that information.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users