Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Double Checking System


  • Please log in to reply
11 replies to this topic

#1 Useless User

Useless User

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 22 July 2009 - 12:57 AM

Hey again.

Just got back from a vacation yesterday, and I come home to find my desktop acting strangely.

[The desktop uses Windows XP Professional with SP3.]

For the desktop, my defenses are AVG, Spybot Search & Destroy, Ad-Aware and Malwarebyte's Anti-Malware. When I was doing a Spybot scan, my computer restarted in the middle of the scan. Confused, I tried it again. Found that it restarted again.

Worried, I restarted in Safe Mode and used Spybot again. This time, it found three bad pieces of trouble: Win32.Bredolab.B, Win32.TDSS.rtk and Win32.Agent.pz. I had Spybot fix these problems, then scanned with Malwarebyte. One full scan later, and it didn't find anything. Using Ad-Aware, I found another bit of trouble, but it was taken care of no problem. [I'm away from my computer right now, so I don't have it written down around me.]

I was wondering if you could help me make sure my computer was cleaned up.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,897 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:41 AM

Posted 22 July 2009 - 07:14 AM

mvps.org is no longer recommending Spybot S&D or Ad-Aware due to poor testing results. See here - (scroll down and read under Freeware Antispyware Products).

Further, most people don't understand Spybot's TeaTimer or how to use it and that feature can cause more problems than it's worth. TeaTimer monitors changes to certain critical keys in Windows registry but does not indicate if the change is normal or a modification made by a malware infection. The user must have an understanding of the registry and how TeaTimer works in order to make informed decisions to allow or deny the detected changes. Additionally, TeaTimer may conflict with other security tools which do a much better job of protecting your computer and even prevent disinfection of malware by those tools.

More effective alternatives are Malwarebytes Anti-Malware and SUPERAntiSpyware Free.
Please post the results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs


Please download and scan with Dr.Web CureIt - alternate download link.
Follow these instructions for performing a scan in "safe mode".
If you cannot boot into safe mode or complete a scan, then try doing it in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply. If you can't find the log, try to write down what was detected/removed before exiting Dr.WebCureIt so you can provide that information.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Useless User

Useless User
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 23 July 2009 - 01:12 AM

The log from MBAM:

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

7/22/2009 2:35:14 AM
mbam-log-2009-07-22 (02-35-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 139293
Time elapsed: 30 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

~~~~~

The Dr. Web log:

Process.exe;C:\Documents and Settings\Administrator\SmitfraudFix;Tool.Prockill;Incurable.Deleted.;
restart.exe;C:\Documents and Settings\Administrator\SmitfraudFix;Tool.ShutDown.14;Incurable.Deleted.;
1042a.exe;C:\WINDOWS\system32;BackDoor.IRC.Nite;Deleted.;
pskill.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Deleted.;
reader_s.exe;C:\WINDOWS\system32\config\systemprofile;Trojan.DownLoad.29459;Deleted.;
5a065183.sys;C:\WINDOWS\system32\drivers;Trojan.Spambot.4489;Deleted.;


~~~~~

While I was waiting for MBAM to finish, I waslooking through the MBAM old logs. I found that about a month ago I had been infected. Thing that got me worried was one particular notice:

C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Now, from what I was reading on the site, this is typically related to Virut. I've changed all my passwords since I read the log today, and I've isolated the computer since beginning the scans. I checked the subsequent scans. The two next two MBAM logs showed only one or two files which were promptly deleted. Judging by the Dr. Web log, reader_s.exe showed up again. Also, I noted that one of the things Dr. Web caught was a backdoor.

Furthermore, my computer is having trouble starting up normally. It gets to the Welcome screen, then resets. I'm backing up the necessary data from Safe Mode as of this post.

Am I better off just formatting and reinstalling Windows?

P.S. Virut can't jump into a recently installed external hard drive via USB, can it? I borrowed my friend's external to get my files, so I don't want to give him a nasty bug. If it does, I think I may have to sacrifice all my data.

Edited by Useless User, 23 July 2009 - 01:27 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,897 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:41 AM

Posted 23 July 2009 - 07:46 AM

Please see ThreatExpert's awareness of the file "reader_s.exe".

Virut is a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). Virux is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutThis kind of infection is often contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

However, the CA Security Advisor Research Blog have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:Your decision as to what action to take should be made by reading and asking yourself the questions presented in those links. As I already said, in some instances an infection may leave so many remnants behind that security tools cannot find them and your system cannot be completely cleaned, repaired or trusted. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore with a vendor-specific Recovery Disk or Recovery Partition removes everything and is the safest action but I cannot make that decision for you.

Caution: If you are considering reformatting and backing up data, keep in mind, with a Virut infection, there is always a chance of backed up data reinfecting your system. If the data is that important to you, then you can try to salvage some of it but there is no guarantee so be forewarned that you may have to start over again afterwards if reinfected by attempting to recover your data. Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, and .html) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executable files inside them as some types of malware can penetrate and infect .exe files within compressed files too. Other types of malware may even disguise itself by adding and hiding its extension to the existing extension of file(s) so be sure you look closely at the full file name. After reformatting, scan the backed up data with your anti-virus prior to to copying it back to your hard drive.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Useless User

Useless User
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 23 July 2009 - 01:20 PM

So I should read over every file before backing it up? Unfortunately, my CD drive isn't exactly in working order, so no backing up that way. What kind of scan can I do on the external after backing it up to make sure it's clean? If it is infected after the transfer, is it possible to connect to it and scan it without infecting something?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,897 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:41 AM

Posted 23 July 2009 - 01:56 PM

Protective measures:

Download and use Panda USB Vaccine. Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced by malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.

Alternatively, you can download and use Flash_Disinfector which is a specialized fix tool created by sUBs to remove infections that load an autorun.inf file on removable media. As part of its routine, this tool will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you run it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Download "ClamWin Portable Antivirus", put it on your USB Flash Drive, update its definition files and perform a scan.

Hold down the Shift key when inserting the drive into your computer until Windows detects it to keep autorun.inf from executing automatically.

With virut, the degree of infection and amount of damage can vary. If the CD/DVD drive is working, then it is a safer choice to use. Why...because most malware writers take advantage of the autorun.ini that uses Windows Explorer's right-click context menu for usb drives/external hardware. Why...because most folks use them more often these days...they are convenient and portable...thus, people use them and as a result, infections are easier/faster spread by attckers exploiting that method so they take advantage of it. If external drives are used, they can become compromised in the process of backing up data even if not already infected.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Useless User

Useless User
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 24 July 2009 - 01:00 PM

So, the data's been transferred.

I ran over it once with Dr. Web while it was still connected to the 'bad' computer, but found nothing.

Following your instructions, I installed ClamWin on my spare USB drive, updated the definitions and found nothing bad.

I connected the external to my clean computer (keeping the shift key down), and ran Flash Disinfector while both the USB storage devices were connected. It completed its task with no issues.

I installed ClamWin on the external, updated the definitions and found nothing bad. [AVG confused ClamWin for a bad process though. Weird that it didn't happen when it was scanning the thumb drive.] Just to be sure, I ran Dr. Web on the external one more time, this time from the clean computer, as well as MBAM. MBAM found two pieces of SKYNET spyware on my 'clean' computer, which were removed. The specific entries can be seen below.

c:\WINDOWS\system32\SKYNETduqwyyhc.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETqgoejkcf.dat (Trojan.Agent) -> Quarantined and deleted successfully.

I restarted in Safe Mode and did the scans again. Dr. Web found nothing, nor did MBAM.

Is it safe to assume that the external drive is safe? Am I free to format my desktop and start anew?

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,897 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:41 AM

Posted 24 July 2009 - 04:26 PM

Sounds like you covered all the bases but I'm concerned about those MBAM detections. Are you sure your clean computer was completely clean before you started? Is it running ok or are there any signs of slowness, browser redirects or unknown error messages, etc?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Useless User

Useless User
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 24 July 2009 - 06:36 PM

Nope, it seems to be working fine. I asked for help about it while I was on vacation. Budapest helped me clean it up.
The only potentially dangerous thing I did was change the Windows File that enforces the use of signed themes with a patch. (UXTheme Multipatcher, in particular.)

If it seems to be a potential problem, I'll look it up. As I mentioned before, I again scanned while in Safe Mode with Dr. Web and MBAM, but found nothing after that initial scan. I haven't seen any of the symptoms you asked, but I do have a problem while trying to play LAN games with my friends. (I randomly disconnect while my internet remains connected. It's probably not related, but still...)

What would you suggest?

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,897 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:41 AM

Posted 25 July 2009 - 08:28 AM

Ok then. Those entries apparently were remnants left over that were not detected when Budapest helped clean up that machine. It is not uncommon for subsequent scanning after updates of a particular security product has been released to result in detection of items which had previously gone undetected by prior scans.

Looks like your good to go with reformatting the infected machine.

If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Windows XP Home and Professional forum. If you don't get a reply, please send me a PM and I will get someone to take a look.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Useless User

Useless User
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 25 July 2009 - 02:22 PM

Thanks for your help, Quietman. I'll let you know how it goes.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,897 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:41 AM

Posted 25 July 2009 - 02:24 PM

You're welcome and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users