Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I still infected?


  • This topic is locked This topic is locked
12 replies to this topic

#1 Reaxku The Fox

Reaxku The Fox

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 17 July 2009 - 11:43 PM

Recently my computer has come under a bombardment of all sorts of nasties, here's a list of the virus vaults,

AVG:


Adware Generic_c.CJ
Win32/Alureon
Trojan Horse Backdoor.Generic8.TYM

Avast:

4 different cases of "Win32:Trojan-Gen{Other}"

ComboFix: (Yes I ran it without professional advice, I'm a bad person)

hjgruihtimybrp.dat.vir (I found other cases of this in a .dll form in the windows memory)
packet.dll.vir
pthreadVC.dll.vir
pthreadVC.dll.vir
npf.sys.vir (Driver)
README.TXT.vir (A notepad virus?!)
MBX@95B4@381F50.###.vir, MBX@95B4@381F60.###.vir, MBX@95B4@381F70.###.vir (And three others with simular names)
daemon_mgm.exe.vir
INSTALL.LOG.vir
npf_mgm.exe
rpcapd.exe.vir
Uninstall.exe.vir



There are more that I found and removed manually using hjt, All these infections happened in a span of three days... I just want to know if my computer is finally clean.

I'm running Avast and AVG (I know they might confilict)

I collect viruses... unintentionally.


BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:50 AM

Posted 18 July 2009 - 03:27 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.




One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud, and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Edited by Computer Pro, 18 July 2009 - 03:27 PM.

Computer Pro

#3 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 18 July 2009 - 03:43 PM

welcom to this forum :thumbsup:

There are more that I found and removed manually using hjt



May one ask how you did this and who analysed the HJT log as to remove even ONE incorrect line can be disasterous and prevent the computer from running :trumpet:

May one ask for how long you have had both these antivirus programs installed together?

I'm running Avast and AVG

as this may be one of the causes OF the infection ...running more than one at a time is tanatmount to having NO protection at all

We know is it YOUR computer and yours to decide how to proceeed but please DO be aware that the computer's safety is now compromised and can never be trusted again ; any scans you run MAY appear to be clean but ultimately will NOT be :flowers:

also please be aware of the risks OF running ComboFix

ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer.


I strongly suggest you reformat and reinstall but, as it is your computer please tell us, from the advise and information we have given you what you wish to do :inlove:

#4 Reaxku The Fox

Reaxku The Fox
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 19 July 2009 - 01:56 AM

I understand the risks of all my actions and that my computer can 'never' be trusted again, but I do not do any form of online banking or anything that would be important to a hacker's financial needs, I just game, script, and web surf. Never-the-less I still want to make sure my computer is as clean as possible, any help in doing this is verrry appreciated!

May one ask how you did this and who analysed the HJT log as to remove even ONE incorrect line can be disasterous and prevent the computer from running

I did, myself, and my computer did not explode, so I'd say I did a satisfactory job... I've always kept close tabs on what runs on my computer and occasionally create a HJT log for me to examine any changes and investigate them futher, if my investigation of a new entry in my hjt log comes up as malware, I remove it, simple.

please be aware of the risks OF running ComboFix

The only thing I was worried about at the time was how much damage would be done to my system if I did not run it, the consequences seemed much worse if I did not run combofix, and it looks like it cleans up some of the baddies quite nicely.

I strongly suggest you reformat and reinstall but

I was blessed with buying this computer at a bargain with Vista pre-installed, a reformat and installation is not really in the budget so to speak. And if anything messes up in vista I do have my handy copy of ubuntu standing-by.

I just want to be as sure as possible that the malware is gone... please help.

Oh and which anti-virus should I keep if I decide to rid myself of one?

Edited by Reaxku The Fox, 19 July 2009 - 01:57 AM.

I collect viruses... unintentionally.


#5 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 19 July 2009 - 02:38 AM

and which anti-virus should I keep if I decide to rid myself of one?


with respect you NEED to rid yourself of ONE of them as the rule is to have only ONE installed Resident antivirus program; if you continue to run with more than one you are guaranteed to get infected as that is like running with NO protection at all :flowers:

Never-the-less I still want to make sure my computer is as clean as possible, any help in doing this is verrry appreciated


Again, we cannot guarantee it ever being clean; all the scan results MAY APPEAR to BE clean but we know underlying IS an unremovable infection :thumbsup:


However, if you wish to try some scans, do you have Malwarebytes and Superantispyware on there?

If so run full computer scans wth them; do NOT please rerun the ComboFix !!!

with your one remaining antivirus program fully update it and run a full deep scan

als try an on line scan from trend

http://housecall.trendmicro.com/uk/

let us know how you get on ?

#6 Reaxku The Fox

Reaxku The Fox
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 19 July 2009 - 02:55 AM

with respect you NEED to rid yourself of ONE of them as the rule is to have only ONE installed Resident antivirus program; if you continue to run with more than one you are guaranteed to get infected as that is like running with NO protection at all

Ok, you've convinced me. I've disabled all of AVG's runtime features but kept the program for independent file scanning purposes, AVAST is now my primary antivir

do you have Malwarebytes and Superantispyware on there?

Do now, running the scans now

do NOT please rerun the ComboFix !!!

Don't worry about me doing that again, i just got a tad bit desprate, This computer is brand-spanking-new because my old one died due to a virus overclocking all my drives to melty pieces of plastic, I did not want that happening again!

I'll try to get you the scan results around 4pm tomorrow (today i guess), these scans look like they may take a while and I must sleep... and thanks for helping :thumbsup:

I collect viruses... unintentionally.


#7 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 19 July 2009 - 07:33 AM

This computer is brand-spanking-new because my old one died due to a virus overclocking all my drives to melty pieces of plastic, I did not want that happening again!


How 'new' IS new? Is it still in warranty? if it is you COULD take it back to the store from which you ? bought? it and seek their help to put it back to factory settings; I.E. wipe it and start again ; then you would have a clean slate to work from :thumbsup:
Have you thought of that option?

From experience , running the full deep scans WILL take some hours ........

#8 Reaxku The Fox

Reaxku The Fox
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 19 July 2009 - 12:43 PM

It is still under warranty, but I ordered it online and to ship it back is just a hassle... like I said I don't do any kind of banking on my computer, just games, coding, and web surfing

I collect viruses... unintentionally.


#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:50 AM

Posted 19 July 2009 - 01:02 PM

Hi Reaxku The Fox,

You initially asked if you are now clean after doing the various things you described. That is an impossible question to answer without more information than what we have. Since you are not permitted to post HJT or or logs such as DDS in this forum that leaves us with a couple of ways to go other than a reformat.

The presence in and of itself of a backdoor Trojan does not call for a reformat unless that is what you wish to do and based on the information we can supply. There are those who think you can never trust the system again to be totally safe but many do not follow this course. Again that is a choice you will need to make. I haven't researched all of the files you posted but if you have a file infecter such as Virut or Sality present then reformat is the only way we will suggest you go.

If you want a better look taken of your system then that will require you to start a new topic in our HJT forums. If not then you can run MalwareBytes and post a log here.

If you will let us know which way you want to go I can assist you from there.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#10 Reaxku The Fox

Reaxku The Fox
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 19 July 2009 - 01:24 PM

I'll wait for malwarebytes to finish then depending on the results I'll decide to stay here or move to the hjt sector, reguardlessly thanks for your help!

file infecter such as Virut or Sality present then reformat is the only way

No, nothing that serious, I caught the infection very early but it spread quickly... it seemed to be quite generic as far as backdoor trojans go

Edited by Reaxku The Fox, 19 July 2009 - 01:34 PM.

I collect viruses... unintentionally.


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:50 AM

Posted 19 July 2009 - 02:17 PM

Please podt the MBAm log when complete..

The reality of a backdoor Trojan is it can allow an attacker to
gain control of the system, log keystrokes, steal passwords, access personal
data, send malevolent outgoing traffic, and close the security warning
messages displayed by some anti-virus and security programs.

I would advise you to disconnect this PC from the Internet, and then go to
a known clean computer and change any passwords or security information held
on the infected computer. In particular, check whatever relates to online
banking financial transactions, shopping, credit cards, or sensitive
personal information. It is also wise to contact your financial institutions
to apprise them of your situation.

We will do our best to clean the computer of any infections seen on the log.
However, because of the nature of this Trojan, I cannot offer a total
guarantee that there are no remnants left in the system, or that the
computer will be trustworthy.

Many security experts believe that once infected with this type of Trojan,
the best course of action is to reformat and reinstall the Operating System.
Making this decision is based on what the computer is used for, and what
information can be accessed from it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 Reaxku The Fox

Reaxku The Fox
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 19 July 2009 - 02:52 PM

Hey, hey... there's no need to stress that my computer is now unable to be trusted, ever. I do not even own a credit card, i try to keep things cash-only, My computer or any of my activities on it have nothing to do with anything sensitive... the hackers can even spectate my game playing if they want! My mwbyte log only had one result for a Trojan.Agent, the program Avenger which I download through a link on this site to keep handy, its a kernal based file killer, here's the official log;
Malwarebytes' Anti-Malware 1.39
Database version: 2462
Windows 6.0.6001 Service Pack 1

7/19/2009 3:50:36 PM
mbam-log-2009-07-19 (15-50-28).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 340873
Time elapsed: 1 hour(s), 47 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Reaxku\Goodies\avenger\avenger.exe (Trojan.Agent) -> No action taken.

I am not going to delete this file as I know where it came from, and trust the source, and can see why a viral scanner would pick it up as dangerous seeing as of its uses. I'm now going to transfer myself over to the hjt section to more thoroughly check my system... Thanks for all your help... again! :thumbsup:

I collect viruses... unintentionally.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:50 AM

Posted 19 July 2009 - 03:06 PM

Ok, sorry but i hate to see someone have their ID stolen.. And yes you can leave that..
Your topioc looks good there.. you're welcome from us all!

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users