Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I'm really infected. Please help.


  • Please log in to reply
2 replies to this topic

#1 allanq

allanq

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 16 November 2009 - 02:39 PM

Hi,

I was browsing/looking google for a program to safeguard some of my files and I recently downloaded a trial version of a program called "folder lock" from what I think is an affiliate website of theirs. Thinking it was safe to just download and install as I thought who would ever sell infected software? I mean that's crazy. So I downloaded a file named folder-lock-gg.exe from their affiliate (brothersoft I think) and proceeded to install. It's where google led me after the search so I didn't know at that time that they did not make the software. After installation everything seemed to work fine then suddenly came a BSOD (blue screen of death) I didn't get to see what it was about as the machine proceeded to reboot itself. Since then I cannot enter windows XP without getting a BSOD. I tried fixing it by going to safe mode and uninstalling the software from there. It did not work so I had to manually delete the installed files. I tried reinstalling, and this time I used advanced uninstaller pro to track the installation and have it uninstall the software after installation. Again everything seemed fine but then the PC seemed to behave differently. It sometimes hanged and even got the c:\windows\system32\config\software corrupted and so the PC stopped during boot saying c:\windows\system32\config\software was corrupted. So I searched around the net on how to fix this and fixed it using recovery console. Wondering how this all got started I remembered the installation file I got so I went to virustotal.com and sent it and here is what I got back.

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.15 Net-Worm.Win32.Kolab!IK
AhnLab-V3 5.0.0.2 2009.11.13 Win32/Kolab.worm.Gen
AntiVir 7.9.1.65 2009.11.13 TR/Dldr.Pher.VS
Antiy-AVL 2.0.3.7 2009.11.13 Trojan/Win32.Zbot.gen
Authentium 5.2.0.5 2009.11.14 W32/Downldr2.GSQO
Avast 4.8.1351.0 2009.11.15 Win32:Zbot-LXK
AVG 8.5.0.425 2009.11.15 Injector.FF
BitDefender 7.2 2009.11.15 Trojan.Generic.2292863
CAT-QuickHeal 10 2009.11.13 TrojanDownloader.Pher.vs
ClamAV 0.94.1 2009.11.15 Trojan.Zbot-5367
Comodo 2957 2009.11.15 UnclassifiedMalware
DrWeb 5.0.0.12182 2009.11.15 Trojan.PWS.Panda.122
eSafe 7.0.17.0 2009.11.12 -
eTrust-Vet 35.1.7121 2009.11.14 -
F-Prot 4.5.1.85 2009.11.14 W32/Downldr2.GSQO
F-Secure 9.0.15370.0 2009.11.11 Trojan.Generic.2292863
Fortinet 3.120.0.0 2009.11.15 W32/BDoor.VS!tr.dldr
GData 19 2009.11.15 Trojan.Generic.2292863
Ikarus T3.1.1.74.0 2009.11.15 Net-Worm.Win32.Kolab
Jiangmin 11.0.800 2009.11.12 Backdoor/Poison.bxn
K7AntiVirus 7.10.896 2009.11.13 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.11.15 Trojan-Downloader.Win32.Pher.vs
McAfee 5802 2009.11.14 BackDoor-EBI.gen
McAfee+Artemis 5802 2009.11.14 BackDoor-EBI.gen
McAfee-GW-Edition 6.8.5 2009.11.15 Trojan.Dldr.Pher.VS
Microsoft 1.5202 2009.11.14 VirTool:Win32/Injector.gen!AD
NOD32 4608 2009.11.14 a variant of Win32/Kryptik.ACB
Norman 6.03.02 2009.11.15 DLoader.ZEDR

I was very shocked so quickly turned off the computer, rebooted and installed malwarebytes (I had it on my other PC). It removed some files (says it was rootkits) but they also went back after the reboot.
c:\windows\system32\sys_drv.dat
c:\windows\system32\sys_drv_2.dat
c:\windows\system32\WinFLdrv.sy
c:\documents and settings\Gwapo\Application Data\systemfl.$dk

I have a dual boot system Winxp / Win98SE so I just went to Win98 and proceeded to delete the files. I also ran Aswar.exe (Avast Anti Rootkit) on Xp; heard of it form a friend. It found just 1 file so I let it remove the file. So now I have XP running but I am seriously doubtful that the infection/spyware has been removed. I uploaded the infected installer at http://www.mediafire.com/?zdj2jdjeinm just in case anybody want to take a gander at it. Also, I later found out that the file from the original site was not infected. I guess they don't know their affiliates are infecting their potential clients. For what purpose I surely don't comprehend. I mean why infect potential clients? So please help me regarding this matter. I use the infected computer for daily work so I tried fixing it just enough to get it to enter XP to see if it could still be fixed... I'm not an expert but I'm pretty sure that it is still infected. I seriously don't know what to do next; I don't want to make things worse so please if anybody can help me with my dilemma please guide me on what to do next. I guess I'm at the end of my ropes on fixing this myself. I really really need help with this guys and any input would be highly appreciated.

Hope to hear from you guys soon.

regards,
Allan

BC AdBot (Login to Remove)

 


#2 allanq

allanq
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 17 November 2009 - 12:30 AM

Hi again, here's some more added info regarding my post. I've just now deleted files created at the time/date of infection in the hopes of lessening the infection. I've found 2 files created which were infected. I sent all the files I've found to virustotal and the two files were verified to be infected. I also removed any references in registry of the two files using regedit. The two files were Suppdll.dll & WindrvNT.sys.

I know I should wait for a reply before trying things out but I've noticed that there have been lots of views but no one seems to want to touch my topic. I know you guys are busy but please kindly find time to answer my post as others with more recent posts than mine have already been replied to. So please if any mods/members are available who can handle this please reply or please inform me if this is too hard for this section of the forum. Should I post it on HijackThis Logs and Virus/Trojan/Spyware/Malware Removal and try out the Preparation Guide for use before posting about your potential Malware problem Please help/guide me with this as I need this computer for my work (I use it everyday).

I've already read
Pinned: Rootkit Removal
Pinned: How do I get help? Who is helping me?
Pinned: A Reminder To Our Members Regarding Hijackthis Logs
Pinned: Slow Computer?
Pinned: How Did I Get Infected?
Pinned: Before You Post About A Problem
Pinned: Am I Infected? What Do I Do?
and it seems that my earlier post was in order. So I do hope someone with a kind heart lends a hand.

Anyway, I'll still wait for a reply. In any case please kindly advise me if I need to take this to a different section of the forum.

Edited by allanq, 17 November 2009 - 12:35 AM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:46 PM

Posted 17 November 2009 - 08:36 AM

Should I post it on HijackThis Logs and Virus/Trojan/Spyware/Malware Removal and try out the Preparation Guide for use before posting about your potential Malware problem

Yes.

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is hidden piece of malware (i.e. rootkit) which has not been detected by your security tools that protects malicious files and registry keys so they cannot be permanently deleted. Other rootkits can even terminate your security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users