Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus found, but is it gone?


  • Please log in to reply
15 replies to this topic

#1 f-cad

f-cad

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 01 July 2009 - 09:50 PM

Ran MBAM on a Vista machine which returned the following:

6/27/2009 6:32:22 PM
mbam-log-2009-06-27 (18-32-22).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 140586
Time elapsed: 21 minute(s), 11 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\Windows\System32\Service.exe (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\service (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\service (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\service (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Windows\System32\Service.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\Service.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Am I clean now? How can I be sure? Which virus was it, because my XP machine is messed up too, but nothing comes back positive.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:28 AM

Posted 01 July 2009 - 10:00 PM

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 f-cad

f-cad
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 01 July 2009 - 10:16 PM

How can I be certain I still don't have it now? I already formatted and reinstalled. Should all backups be destroyed as well? Any way to determine how long I've had the virus? I've been getting artifacts on my XP display. Thought it was a card going out. Any way to put a name on the virus so I can scan my new OS installs just to be sure?

Also, I reinstalled from the DVDs but updates require the net. I'm concerned, because MS isn't offering Vista SP1 or SP2.
Am I just being paranoid now, or do I need to get the actual SP discs?

OK, read the links... guess I should be paranoid! Looks like I'll be doing everything all over again. How should jump drives be fixed/cleaned? What about iPods (the device itself, I'll dump my backups, right)?

I ran a retail Norton 360 on a known bad install and it didn't report a problem. Avast!4Home first found it... but only after it let it in! So now that the hackers have my IP address, what's gonna stop them from sending me a new virus just as soon as my fresh install gets online?

Edited by f-cad, 01 July 2009 - 11:21 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:28 AM

Posted 01 July 2009 - 11:44 PM

Did you format after the backdoor?? Then it would be gone. Unless you reinsatalled something..

2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.

Reinstall Windows Vista

>>>
For the Flash drives and any PC thay may have connected to after the virus run...

Download and Run FlashDisinfector

You have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
Please download [url="http://download.bleepingcomputer.com//sUBs/Flash_Disinfector.exe"]Flash_Disinfector.exe by sUBs</a> and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Edited by boopme, 01 July 2009 - 11:53 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 f-cad

f-cad
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 02 July 2009 - 02:36 AM

That's good news! Thought I'd lost all my stuff (lots of iTune$ and docs).

Yes, I did use some driver files off a backup that were .exe. I'll get new ones off a clean computer... and load in Vista yet once again. Thank you! I think I'm gonna get it this time!

Once I have my clean install, I want to image the entire drive. Is a .tif (Acronis) like a .txt as far as viruses are concerned? If so, why does it take so long to scan them?

Any prefrences: Norton 360, Avast! (paid/free), AVG (paid/free), others...?

Edited by f-cad, 02 July 2009 - 02:57 AM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:28 AM

Posted 02 July 2009 - 10:25 AM

yep, you'll be good now,finally. Do you mean ,Acronis Privacy Expert Suite ?

I personally use AntiVir on my Vista system ,,,I like it..

You're most welcome, please take a moment to read quietman7's excellent prevention tips in post 17 here
Click>>Tips to protect yourself against malware and reduce the potential for re-infection:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 f-cad

f-cad
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 02 July 2009 - 02:27 PM

No... I bought Acronis True Image Home 2009 and backed up both my computers with it. Unfortunately, I can't be sure I didn't back up the virus too. So, once I get everything clean again, I want to make new images for each of my PCs before they go back online, so that if/when this ever happens again I can start with everything already installed (including programs and updates that are current to at least 7/2/09). However, your earlier post said:

2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided

Sounds like you were referring to normally scheduled backups, or does that apply to OS install images as well?

I want to save my new Vista image file on an external e-SATA drive. I'd like to keep this drive connected to my newest box so that scheduled backups can be automatic. In this case would my OS install images be "virus-proof"?

The reason I ask is because every scanner I've used during this little adventure scanned my image files (they never find anything, but they do "love them... long time"). So, if a scanner can get inside my image files to examine them, can a virus get inside my image files too or are they safe, like a .txt file?

I'll give AntiVir a whirl.

Thanks for all the helpful links, I've learned a lot AND got some useful utilities too (I never knew what to get or where to get it). Great site! You guys do nice work here.

Edited by f-cad, 02 July 2009 - 03:56 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:28 AM

Posted 03 July 2009 - 09:38 PM

That's a tricky question. It depends on the infection. As for will it be virus-proof, not necessarily. A lot of worms and viruses are network aware these days, anything connected that the OS has write access to is potentially a target. The advice you gave him to not backup the exes etc, is valid for file infectors, not sure about backdoors. But it's probably best to be safe. If he's unsure whether he's backed up the virus, he could scan the drive again after the backup's been restored.

I'm not sure how thorough the scans are in reference to isos or backup files, in other words, I don't know if they look at individual files in the backup, or just scan the file itself as a whole. If it's the latter, it might not react to an infected file within the archive. (But I'm not positive on the methods of the scanners).

Hope that helps
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 f-cad

f-cad
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 04 July 2009 - 04:48 AM

OK, that complicates things a lot. Came up with a plan though...
  • Image my fresh OS installs to DVD using Acronis and set them aside... just in case.
  • Remove my clean HDD and set it aside.
  • Disconnect from the ethernet port.
  • Install a different HDD (in drive slot 1) and create two primary partitions: the first to restore the infected drive image to, the second big enough for my files.
  • Restore the infected drive image to the drive in slot 1
  • Scan with MBAM(?) Please advise the best tool & method.
  • If no viruses found, MOVE (not copy) my folders/files to the second partition (.txt; .doc; .xml; .dwg; .bmp; .jpg; .m4p; .mp3; .mdb(?) only).
  • Zero/wipe the first partition w/Acronis factory disc.
  • Install my clean HDD (in drive slot 0).
  • Re-scan everything w/MBAM(?) using the clean OS. Please advise.
  • MOVE files to the clean HDD only if everything scans OK.
  • If virus detected, abandon the idea of ever recovering anything... wipe the "clean" drive and restore from the DVDs.
Is this reasonable risk? Any suggestions?

I had lots of trouble getting getting update KB929777 to install (4GB RAM & nVidia card). Without it, I couldn't continue to update Vista. See the simple fix below
To resolve Windows Update error 8000FFFF for KB929777:
1: Open up "Control Panel" and navigate your way to "Programs and Features".
2: Click "View installed updates" on the left hand side.
3: Find the update KB929777 and uninstall it.
4: Attempt to install the update again in Windows Update.
5: Once successful, restart your PC.
Vista continues to update and it now reports all 4GB RAM.

Edited by f-cad, 04 July 2009 - 05:37 AM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:28 AM

Posted 05 July 2009 - 12:51 PM

I think your plan looks good. In both 6 & 10 you should also scan with your AV or an online tool like Kaspersky WebScanner..

The issues in the second part should all clear up after the reinstall.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 f-cad

f-cad
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 07 July 2009 - 01:59 PM

Got spanked again!

These viruses were found by AntiVir when I searched for and deleted all user files ending in: .com, .exe, and .htm*
TR/Dropper.Gen
TR/Rootkit.Gen

I was denied acess to two .htm files and another file that was part of some weird setup folder. So, I moved everything else to a separate partition, booted w/Acronis disc and wiped the partition those suckers were in.

I re-loaded Vista (from scratch, 'cause the DVD backups I made wouldn't load... ah, time well spent) and followed the directions for TR/Rootkit.Gen Trojan and the directions for TR/Dropper.Gen, except for the ComboFix logs:


================================================================================
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/07/2009 at 04:09 PM

Application Version : 4.26.1006

Core Rules Database Version : 3977
Trace Rules Database Version: 1917

Scan type : Complete Scan
Total Scan Time : 00:35:14

Memory items scanned : 206
Memory threats detected : 0
Registry items scanned : 5634
Registry threats detected : 0
File items scanned : 101426
File threats detected : 5

Adware.Tracking Cookie
C:\Users\Frank\AppData\Roaming\Microsoft\Windows\Cookies\Low\frank@ads.bleepingcomputer[1].txt
C:\Users\Frank\AppData\Roaming\Microsoft\Windows\Cookies\Low\frank@atdmt[2].txt
C:\Users\Frank\AppData\Roaming\Microsoft\Windows\Cookies\Low\frank@doubleclick[2].txt
C:\Users\Frank\AppData\Roaming\Microsoft\Windows\Cookies\Low\frank@kaspersky.122.2o7[1].txt
C:\Users\Frank\AppData\Roaming\Microsoft\Windows\Cookies\Low\frank@msnportal.112.2o7[1].txt


================================================================================

SmitFraudFix v2.423

Scan done at 17:22:04.73, Tue 07/07/2009
Run from C:\Users\Admin\Downloads\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6002] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost
::1 localhost

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{79211F26-4359-4082-97E9-AA08AC8215E8}: DhcpNameServer=192.168.0.1 205.171.3.25
HKLM\SYSTEM\CS1\Services\Tcpip\..\{79211F26-4359-4082-97E9-AA08AC8215E8}: DhcpNameServer=192.168.0.1 205.171.3.25
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.25
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.25


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!



RK.2



Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End


SmitFraudFix did NOT complete as described in the links... is that OK?
================================================================================
Malwarebytes' Anti-Malware 1.38
Database version: 2377
Windows 6.0.6002 Service Pack 2

7/7/2009 19:02:01
mbam-log-2009-07-07 (19-02-01).txt

Scan type: Quick Scan
Objects scanned: 80159
Time elapsed: 2 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

This was MBAM quick scan w/NORMAL login & default settings
================================================================================
My Vista box seems better now, the internet lights on my modem aren't flashing nearly as much as they used to, but I'd like to be sure.

What do I need to do next?

btw: I still had issues with KB929777 when re-installing Vista from scratch.

Edited by f-cad, 07 July 2009 - 07:11 PM.


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:28 AM

Posted 09 July 2009 - 08:47 PM

Hello.. I suggest that you make an HJT/DDS log and post it. They will look for any traces and remove them..
To run HJT/DDS.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 f-cad

f-cad
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 11 July 2009 - 09:00 AM

Yep, got the logs just fine.

Sorry I didn't post sooner, I was busy cleaning out user folders and saving the safe files (if there is such a thing anymore) to CD.

I think I finally got a clean install of Vista now (and a reliable backup of it too). :thumbsup: I'm about to attempt restoring the safe user files to the HDD. Thanks for the Belarc Advisor link.

I like the AntiVir program too.

I installed Windows 7 Firewall Control from Sphinx Software (it's for Vista too). It uses the firewall already inside Vista (so it's small), but lets me choose IncomingOnly, OutgoingOnly, EnableAll, or BlockAll... right from a popup that details the application making the request. Nice GUI, simple to use, and it's free. ZA did not work for me.

Thanks again for all your help!

I lost three weeks trying to reclaim my stuff from this Backdoor.bot thing, and the bottom line is (and I just can't bear to accept it yet, which is why I'm here): I lost EVERYTHING... ALL my iTunes... ALL my updates... and programs... and pictures... and databases... and AutoCAD drawings... and tax information... and contacts... and sensitive financial info... if I want to be sure it's really gone. I was shocked to read that OSX has zero virus problems.

Edited by f-cad, 11 July 2009 - 09:08 AM.


#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:28 AM

Posted 11 July 2009 - 01:29 PM

:thumbsup: This is good, glad it's working and that's a fine tool there.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 f-cad

f-cad
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 11 July 2009 - 03:48 PM

Great! Vista does seem to be running smooth. Thanks for taking a look.

It's taken my whole life to learn this, and sometimes I forget... but I'm happiest when I'm helping someone else. It gets me out of me.

So, I wish you much happiness.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users