Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan fake alert, root kit disabled spybot and malwar


  • Please log in to reply
65 replies to this topic

#1 marriedwith

marriedwith

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 23 July 2009 - 05:56 AM

dell inspiron 530 desktop running windows xp he with sp3. mcaffe anti virus software.
daughter surfing for lyrics comes up with a virus
steps taken
windows defender removed many items
run mcaffe - remove what we could shows 1 item cannot be removed it is trojan fake alert.. I had my computer in lockdown.
daughter restarted computer.
malwarebytes will not run, neither will spybot
i tried system restore but all restore points are gone.
having trouble with reboot of windows - black screen. booted from disc
reran mcaffe
still one items same one. tried reboot windows would not come up
gave up for the night
this morning got into windows safe mode with networking
still unable to run spybot or malwarebytes
when browsing for help/downloads I am redirected or hijacked to coupon mountain, random sites offering virus protection etc.
currently I am using a mini laptop to post here, the offending computer has just finished running mcafee virus software in safe mode with networking. it says that it removed the trojan rootkit and has quarantined a fee other items. the scan did not reveal the previously unremoved trojan fake alert.
I will follow any advise and post whatever you need for assistance.
things I have available - my systems discs, a portable harddrive.

BC AdBot (Login to Remove)

 


#2 marriedwith

marriedwith
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 23 July 2009 - 07:19 AM

u know you are screwed up when no one responds - post for "help me I have a virus " are being repllied to, can you please spare me a moment.

that being said, I have managed to find a link through this website that people are being referred to for similar problems with malwarebytes and spybot not loading. I have managed to get dr web running, I am in safe mode with networking.

it has already paused and requested that I move and item it has found during full scan which I allowed it to move.
it is still running and I will attempt to post a log.

does anyone have time to help me?

#3 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:31 AM

Posted 23 July 2009 - 08:44 AM

Post the log for the program you are currently running when you have it and someone will check it out as soon as they can.

Try renaming Malwarebytes to winlogon.com and see if you can get it to run. If you get it to run, then after updating it and running a quick scan with it, post the log. Malwarebytes is most effective run in normal windows if possible, but if it is not, do it in safe mode.

It can often take some time to get help, especially if the problem is complicated.

#4 marriedwith

marriedwith
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 23 July 2009 - 09:14 AM

Dr Web did run in safe mode found 13 items
after I ran it I saved the file - but cannot find it now that I have restarted my computer.
I saved it - I did, thought it was unusual to be an excel file
Now I cannot locate Dr Web either.
the items that were found were
BundleInstaller.exe
Backdoor.Tdss.49
Windows\System 32
My computer booted up in normal mode
I tried to run Malwarebytes and Spybot, they didn't run
I hate to be stupid but how would I change the name?
I just ran Stinger again...I figured it couldn't hurt.
I'm going to keep looking for the file. Thank you!

#5 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:31 AM

Posted 23 July 2009 - 09:26 AM

To rename it just right click on it and select rename, it will highlight the name and let you type over it, then just type the new name.

Btw, I think the file Backdoor.Tdss.49 is a backdoor trojan or rootkit so in that case, you need to read the following....


Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Edited by Stang777, 23 July 2009 - 09:28 AM.


#6 marriedwith

marriedwith
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 23 July 2009 - 09:30 AM

disconnect now heres the log
willl have daughter remove her art/music
do a scrub and try to reinstall system hope that works
thank you so much
BundleInstaller.exe\data003;C:\Documents and Settings\Mary\Local Settings\Temp\Arc45.tmp\BundleInstaller.exe;Probably DLOADER.Trojan;;
BundleInstaller.exe/data005\data003;C:\Documents and Settings\Mary\Local Settings\Temp\Arc45.tmp\BundleInstaller.exe/data005;Probably DLOADER.Trojan;;
data005;C:\Documents and Settings\Mary\Local Settings\Temp\Arc45.tmp;Archive contains infected objects;;
BundleInstaller.exe/data006\data003;C:\Documents and Settings\Mary\Local Settings\Temp\Arc45.tmp\BundleInstaller.exe/data006;Probably DLOADER.Trojan;;
data006;C:\Documents and Settings\Mary\Local Settings\Temp\Arc45.tmp;Archive contains infected objects;;
BundleInstaller.exe/data007\data003;C:\Documents and Settings\Mary\Local Settings\Temp\Arc45.tmp\BundleInstaller.exe/data007;Probably DLOADER.Trojan;;
data007;C:\Documents and Settings\Mary\Local Settings\Temp\Arc45.tmp;Archive contains infected objects;;
BundleInstaller.exe/data008\data003;C:\Documents and Settings\Mary\Local Settings\Temp\Arc45.tmp\BundleInstaller.exe/data008;Probably DLOADER.Trojan;;
data008;C:\Documents and Settings\Mary\Local Settings\Temp\Arc45.tmp;Archive contains infected objects;;
BundleInstaller.exe;C:\Documents and Settings\Mary\Local Settings\Temp\Arc45.tmp;Archive contains infected objects;Moved.;
full-install.exe\GameGuard/GameMon.des;C:\Documents and Settings\Mary\My Documents\full-install.exe;Probably BACKDOOR.Trojan;;
full-install.exe;C:\Documents and Settings\Mary\My Documents;Archive contains infected objects;Moved.;
ijl20.dll;C:\Program Files\Blackout Ragnarok Online;Probably DLOADER.IRC.Trojan;Incurable.Moved.;
GameMon.des;C:\Program Files\Blackout Ragnarok Online\GameGuard;Probably BACKDOOR.Trojan;Incurable.Moved.;
mcinst.exe;C:\Program Files\Common Files\McAfee\Installer;Probably BACKDOOR.Trojan;Incurable.Moved.;
InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably DLOADER.Trojan;Incurable.Moved.;
GameMon.des;C:\Program Files\Maest RO\GameGuard;Probably BACKDOOR.Trojan;Incurable.Moved.;
40bab3976710d1b2000001206711e142.exe/data207\data003;C:\Program Files\Verizon\OfflineUpdate\40bab3976710d1b2000001206711e142.exe/data207;Probably DLOADER.Trojan;;
data207;C:\Program Files\Verizon\OfflineUpdate;Archive contains infected objects;;
40bab3976710d1b2000001206711e142.exe;C:\Program Files\Verizon\OfflineUpdate;Archive contains infected objects;Moved.;
UACtkhgfmonxo.dll;C:\WINDOWS\system32;BackDoor.Tdss.49;Deleted.;

#7 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:31 AM

Posted 23 July 2009 - 09:35 AM

You are welcome.

That does not look good and in my opinion, a reformat is in order.

HOWEVER, you might want to wait for a second opinion, possibly from a staff member, before dong it

Btw, I have been advised that it is best when formatting to remove viruses to use a formatting utility instead of using the formatting function from the Windows disk. The formtting utilities like Killdisk will write zeros to the disk to ensure all data is erased and the Windows disk formatting does not do that.

Edited by Stang777, 23 July 2009 - 09:41 AM.


#8 marriedwith

marriedwith
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 23 July 2009 - 09:54 AM

I think I have cyberscrub on my computer drive somewhere.
I have disconnected it from the internet with lockdown firewall.
I use for my banking, and have changed my passwords with the mini laptop I'm on now.
i noticed that a have a tax return file on my computer and that concerns me.
I have read through the information you sent regarding id theft and plan to put the alerts on notify bank, police etc
Daughter is grabbing her data files to a portable hard drive ...this will take some time , I realize that the portable hard drive may need to be scanned?
Any suggestions are welcome...
Although I will miss my desk top I am wondering if I should just let some pros at Best Buy handle it for me?
I want to be able to trust my computer again to do my banking.

#9 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:31 AM

Posted 23 July 2009 - 10:03 AM

Unless you feel you cannot do the format and reinstall yourself, I see no reason to have a professional do it for you. It really should not be that hard. If it were me, I would try it myself and if I could not do it, then, and only then, would I have a professional do it for me. Heck, when the time comes for me to do it, I am willing to do it on a system that is running a RAID configuration and that is all new to me, but hey, if I mess it up, then a professional can do it right afterward. You might as well give it a shot, you might surprise yourself and give yourself a sense of security knowing you can do it on the spot in the future should the need arise.

I do not know where you live, but where I live, there are many small computer repair shops that will come to your home and fix it for you, in a very short amount of time, for a lot less money than Best Buy will normally charge when they keep your computer for days on end to do it.

Again, I would wait for a second opinion on doing this. I imagine a staff member will look in on this thread soon and see my pleas for a second opinion

No harm in backing up your files while you wait, that could take a while anyway. There is also a program the staff can recommend to prevent your portable drive from becoming infected. If it is possible to burn the files to a cd, your risk of re-infecting when you restore those files will be less likely. I will see if I can find a link to the program for the portable drive disinfector.

Edited by Stang777, 23 July 2009 - 10:12 AM.


#10 marriedwith

marriedwith
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 23 July 2009 - 10:16 AM

thank you hank you. I will check back before I do anything. I know I want this hd cleaned. I have other laptops I can use till I do so. Got to put some food in my house right now, and will check bac k for 2nd opinion and advised on scrub/ and reload of o/s.

#11 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:31 AM

Posted 23 July 2009 - 10:20 AM

You are welcome, I am still looking for link for the flash/external drive disinfector thingie

#12 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:31 AM

Posted 23 July 2009 - 10:48 AM

I found a post from a staff member that has the info about the flash disinfector. Btw, some antivirus programs might flag this as a threat, but it is not, so allow it to be downloaded and follow the below info

Please download
http://download.bleepingcomputer.com/sUBs/...Disinfector.exe
by sUBs and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Edited by Stang777, 23 July 2009 - 10:49 AM.


#13 marriedwith

marriedwith
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 23 July 2009 - 01:38 PM

thanks for finding that for me. question? my desktop is in lockdown and i think I prefer to keep it that way. I can download that program to my laptop and use it to disinfect the portable drive. It will not delete all the items currently on that drive will it? bc it is holding my backup for the desktop.

what i'm saying is - will it search for viruses on that only delete if necessary, correct?

very handy if it prevents viruses from being loaded.

any help with cleansing my computer would be appreciated, I would like to attempt that tomorrow.

#14 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:31 AM

Posted 23 July 2009 - 09:10 PM

I have never used that flash disinfector but I am sure it will not erase your data from the drive and yes, it does seem like quite the handy little item.

I am surprised nobody else has chimed in on this topic yet but I do believe that because of the backdoor infections and the fact that you do use the computer for online banking that reformatting the drive is the correct thing to do here.

If it were my computer, I would not risk not reformatting it.

If you do the reformat yourself and run into any problems, you can always ask for help in the section of the forum that is for your operating system.

#15 marriedwith

marriedwith
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 25 July 2009 - 07:40 AM

so okay it's saturday morning - got my pot of coffee and a new flash drive . daughter has done a back up and i need to do mine. will physically disconnect computer from dsl router and pop in my system disks. is there anything i seem to remember needing to upgrade drivers on my dell bc of the graphics card, but don't remember any other important drivers i need to locate. i think my disk has sp3 on it so that is well. thank you for your help. i never did get rid of the virus or get malwarebytes to run (renaming it didn't work). is that a concern? should I try again?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users