Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Viruses? Malware? or Both? 9129837.exe, Vundo, Trojan, etc...


  • This topic is locked This topic is locked
2 replies to this topic

#1 dbwhit

dbwhit

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 14 August 2009 - 03:58 PM

OS: XP Pro SP2

As of last month my PC (w/ my stupid help :huh: bit into something & I can't shake it. I thought I solved the issue then, but now learned that I haven't...HELP? If you'll help me, I PROMISE I'VE LEARNED MY LESSON & I'LL NEVER DO IT AGAIN

Last month, for the 1st time ever, I went to install a "copy" of a program, to see if I could use it...before purchasing. :huh: BIG MISTAKE! B) & got some malware issuses that I believe to be reinstalling themselves. If interested, I could post the logs from then, but not wanting to confuse my thread, I've left out.

Now yesterday I clicked a link & immediately realized a mistake. For a split second I think I saw "Torrent", but not positive, on the page as it was loading (I'm familiar w/ "torrents", only in that they are used for downloading, which I've never understood & stay away from them). Anyway, my Symantec Endpoint automatically popped up, seconds after clicking the link, alerting me, now I'm not sure what it read but it stated threat name?..."Action Taken: Deleted...Restart Nessacary". Once the restart was performed & Windows was loading I get this Symantec notifications.

(#1)SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
Event Info: Resume Thread
Action Taken: Logged
Actor Process: C:\WINDOWS\9129837.exe (PID 2260)
Time: Friday, August 14, 2009 2:36:30 PM

(#2)
SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe
Event Info: Resume Thread
Action Taken: Logged
Actor Process: C:\WINDOWS\9129837.exe (PID 2260)
Time: Friday, August 14, 2009 2:36:30 PM

(#3)
SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info: Resume Thread
Action Taken: Logged
Actor Process: C:\WINDOWS\9129837.exe (PID 2260)
Time: Friday, August 14, 2009 2:36:30 PM

(#4)
SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
Event Info: Resume Thread
Action Taken: Logged
Actor Process: C:\WINDOWS\9129837.exe (PID 2260)
Time: Friday, August 14, 2009 2:36:30 PM

(#5)
SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
Event Info: Resume Thread
Action Taken: Logged
Actor Process: C:\WINDOWS\9129837.exe (PID 2260)
Time: Friday, August 14, 2009 2:36:30 PM


as well as something from Symantec pointing to C:\Program Files\Symantec\Symantec Endpoint Protection\DoScan.exe At this point I was fumming & failed to read anymore, I disabled my internet connection, rebooted in safe mode, & did 3 software scans (Malwarebytes' Anti-Malware 1.40, SUPERAntiSpyware 4.26.1006, & Symantec End Point). I've done some research on the following Malwarebytes' log, more percise wiaserva.log, finding this http://www.symantec.com/security_response/...-99&tabid=2 Helpful? I don't know?

Malwarebytes' Scan Log

Malwarebytes' Anti-Malware 1.40
Database version: 2605
Windows 5.1.2600 Service Pack 3 (Safe Mode)

8/14/2009 9:01:57 AM
mbam-log-2009-08-14 (09-01-57).txt

Scan type: Full Scan (C:\|)
Objects scanned: 281921
Time elapsed: 2 hour(s), 1 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bca95e31-1fbf-4f84-8f23-1ba653007a1e} (Adware.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6156a32a-c512-4e23-aa9a-2315f4265681} (Adware.BHO) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{994b5fb4-0103-44a6-b6b3-c73572b362bc} (Adware.BHO) -> Delete on reboot.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Doug Whitted\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.

End of Malwarebytes' Scan Log


Here are the results of SUPERAntiSpyware scan.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/14/2009 at 10:21 AM

Application Version : 4.26.1006

Core Rules Database Version : 4003
Trace Rules Database Version: 1943

Scan type : Complete Scan
Total Scan Time : 01:07:18

Memory items scanned : 294
Memory threats detected : 0
Registry items scanned : 6933
Registry threats detected : 3
File items scanned : 22554
File threats detected : 0

Trojan.Agent/Gen
HKU\S-1-5-21-1659004503-776561741-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6156A32A-C512-4E23-AA9A-2315F4265681}

Adware.Vundo Variant
HKU\S-1-5-21-1659004503-776561741-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{994B5FB4-0103-44A6-B6B3-C73572B362BC}
HKU\S-1-5-21-1659004503-776561741-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BCA95E31-1FBF-4F84-8F23-1BA653007A1E}

End of SUPERAntiSpyware Scan


Now the Symantec scan was performed last of the 3 scans. The results of it's scan was positive w/ NO THREATS
...Whew :thumbsup: ...At least that's what I thought B) ...Don't count dem chickens b'fore da hatch boy :inlove:

Okay, I rebooted in normal boot & just as before, as Windows is loading, I get this notification:

SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
Event Info: Resume Thread
Action Taken: Logged
Actor Process: C:\WINDOWS\9129837.exe (PID 2260)
Time: Friday, August 14, 2009 2:36:30 PM


On top of this I get this "Auto Protect" alert from Symantec, I would copy/paste the log, but I'm not sure how to :flowers: :trumpet: :?

THREAT 1
Risk= Packed.Generic.233
Action= Restart Required (Cleaned by deletion)
Filename=BNB.tmp
Risk Type= File
Original Location= C:\Documents and Settings\...\Local Settings\Temp
Status= Deletion
Current Location= Deleted
Action Description= Deleted successfully

THREAT 2
Risk= Trojan Horse
Action= Quarantined
Filename= install.exe
Risk Type= File
Original Location= C:\Documents and Settings\...\Local Settings\Temp\RarSFX0
Status= Infected
Current Location= Quarantine
Action Description= Quarantined successfully


There's also a window that reads
"Windows cannot find 'install.exe'. Make sure you typed the name correctly, and then try again. To search for a file click 'Sart' click 'Search"


Will you guys/gals help me out?

Edited by dbwhit, 15 August 2009 - 01:31 PM.


BC AdBot (Login to Remove)

 


#2 dbwhit

dbwhit
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 14 August 2009 - 05:30 PM

Jeez..I just noticed I can edit my post! :thumbsup:

I'm not impatient its just more & more issues keep coming up. The latest is....Just rebooted & its now saying...

"msword98.exe has encountered a problem...." two notifications came up.
http://www.virusremovalguru.com/?p=3307

Upon this restart Symantec AV Auto-Protect caught only 1, the "Packed.Generic.233"....The Symantec Protection now brings up 36

Ohhh...This isn't looking good!

Edited by dbwhit, 14 August 2009 - 05:35 PM.


#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:45 PM

Posted 16 August 2009 - 12:54 PM

Hello,

Your topic wasn't intentionally overlooked. We are extremely busy and things do slip past us in the general forums. I see that you now have a topic posted here: http://www.bleepingcomputer.com/forums/t/249845/serious-problem-msword98exe-malware/ where you are receiving assistance, so I shall close this one to avoid confusion.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users