Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Green Desktop +"YOUR SYSTEM IS INFECTED"


  • This topic is locked This topic is locked
6 replies to this topic

#1 Victor80

Victor80

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 27 December 2009 - 05:01 PM

PLEASE HELP! Clicked on something the other night that I shouldn't have. I have AVG Anti-Virus, AOL-McAfee and eAcceleration Stop Sign. No help. Ignored the warning signs, NOW WHAT? Keep getting a pop-up which says that my computer has the Trojan SPM/LX and to download the IDS software. Reset didn't work. Cannot run SYSTEM RESTORE. DDS wouldn't work.

Attached is my hijack-this log file from Notepad....

Thank You.

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:16 AM

Posted 27 December 2009 - 05:21 PM

Hello Victor80,
  • Welcome to Bleeping Computer.
  • Sorry for delayed response. Forums have been really busy.
  • My name is fireman4it and I will be helping you with your Malware problem.
  • As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.
Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions after it is approved.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:16 AM

Posted 28 December 2009 - 05:14 PM

Hello Victor80,

I understand your frustration. We will now see if we can make things better. PLEASE MAKE SURE TO FOLLOW DIRECTIONS AS GIVEN. This is very important.

1.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


2.
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove all but 1 of the following.Mcafee or CA or Norton or Avg

Uninstalling A Program Through "add/remove"

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

*NOTE:
For Norton or Mcafee please use the uninstallers located below

Uninstall Norton

  • Download the Norton Removal Tool to your desktop.
  • On the Windows desktop, double-click the Norton Removal Tool icon.
  • Follow the on-screen instructions.
    Note:Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts
Norton should now be removed from your PC.

For illustrated instructions please refer to here:
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

Additional instructions can be found here if needed.

Uninstall McAfee

  • Download MCPR.exe to your desktop.
  • Make sure all McAfee windows are closed.
  • Double-click MCPR.exe to run the removal tool.
  • Restart your computer after receiving the message CleanUp Successful.
McAfee should now be removed from your PC.

Original instructions here:
http://service.mcafee.com/FAQDocument.aspx?id=TS100507

3.
I see you have eAccelerationalso known as Acceleration Software.
This is a suspected Rogue Antivirus. In other words it gives false positives and does nothing.
For more information see the following links:
LINK1
LINK2

Please remove eAcceleration from you machine using Add/Remove programs.
Uninstalling A Program Through "add/remove"

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

eAcceleration
Acceleration Software


Additional instructions can be found here if needed.

4.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<
5.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

*NOTE:
Please post the following logs before proceeding to the next step
Gmer.log
log.txt
info.txt

6.
Download Combofix from any of the links below. You must rename it 1234.scr before saving it. Save it to your desktop.

Link 1
Link 2


Posted Image


Posted Image
--------------------------------------------------------------------

Double click on 1234.scr & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Things to include in your next reply:
Which Antivirus did you choose to keep?
Combofix.txt
Hijackthis log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 Victor80

Victor80
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 29 December 2009 - 01:24 PM

:( THANK YOU FIREMAN :(

Sorry, for not replying promptly. I didn't need this extra trouble this time of year!

I followed the first two steps (Delete Norton and Delete McAfee). That's when my system became unusable, cutting my access to the Internet. That's when some new unwanted Anti-Virus programs (e.i. Internet Security 2010) started popping-up. I resisted the temptation to pay them, surely that's what they want! Eventually, I was able to get a System Restore promt, and Restored my system on the first try!

Since I am back where I started from, I am happy :) I like the extra feeling of protection that the three AV Programs gives me. It's as if they're competing against each other for my business.

Is there any other thing on my log file that I should delete?

Attached is today's Hijack-This Log File:

Thanks again Fireman :)

Attached Files


Edited by Victor80, 29 December 2009 - 01:27 PM.


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:16 AM

Posted 30 December 2009 - 05:10 PM

Hello Victor80,

I followed the first two steps (Delete Norton and Delete McAfee). That's when my system became unusable, cutting my access to the Internet. That's when some new unwanted Anti-Virus programs (e.i. Internet Security 2010) started popping-up. I resisted the temptation to pay them, surely that's what they want! Eventually, I was able to get a System Restore promt, and Restored my system on the first try!

Since I am back where I started from, I am happy thumbup.gif I like the extra feeling of protection that the three AV Programs gives me. It's as if they're competing against each other for my business.


It shows in your Hijackthis log that you did not delete any Antivirus and followed none of the directions I have given to you.
Having more than 1 AntiVirus can cause serious problems along with "false positives". Also you used System Restore. You have made changes to your machine which you where advised not to unless instructed to.
Your machine is infected. If you want my help you will have to follow all instructions given. Those including runnning tools and posting logs and not changing your machine unless instructed to. If you can't do this you are wasting my time as well as yours. If you still want my help please follow the instructions I first gave you. If however you don't want my help or don't want to follow my directions please let me know .

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:16 AM

Posted 01 January 2010 - 03:00 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :(

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:16 AM

Posted 04 January 2010 - 02:22 PM

This thread will now be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users