Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Definitely infected....what a Gong Show!


  • Please log in to reply
13 replies to this topic

#1 Qwazert

Qwazert

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 29 December 2009 - 09:27 PM

I have Avira Antivirus installed and it has protected me quite well in the past. I make a habit of updating it every day. I also have SPYWARE BLASTER installed and functional, with regular updates as well.
The other day, I started noticing some "odd" behaviour from my PC. At first I didn't clue in...random "freezes"...re-directs to obscure webpages, etc.
Then, while checking things out in TASKMANAGER, I noticed a few odd programs running: a.exe, b.exe, c.exe. etc....

A quick GoogleSearch informed me that this was indeed a Malware/SPyware/Trojan attack of some sort. I immediately ran a FULL scan with Avira...nothing flagged!
After several nervous hours, I downloaded and ran SPYBOT Search & Destroy...A few items were found and "handled".

Not satisfied that all was well, I did some more Googling to see what else I might do....Downloaded a whole slew of Anti-malware/Spyware software...some discovering more faults, others not finding a thing!

Tonight, after running MalwareByte's AntiMalware, I discovered 7 more infections...and I'm still getting re-directed...especially when I try to Google anything to do with Virus or Malware removal (clever boys).
I followed the advice in this thread: http://www.bleepingcomputer.com/forums/t/280742/multiple-virustrojan-activity-browser-redirects-help/ as the fellow seemed to be going through what I was...

This MalwareBytes thing seems to be quite robust...I will run it a few more times and see what gives...stand by!

Edited by Qwazert, 29 December 2009 - 09:29 PM.


BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:18 PM

Posted 29 December 2009 - 09:44 PM

Hello and welcome to Bleeping Computer. My name is Computer Pro and I will be helping you with your issues.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. Then bullet the immediate notification bubble. Finally, press submit.



Did you try to run Dr. Web as I suggested in the other topic?
Computer Pro

#3 Qwazert

Qwazert
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 29 December 2009 - 11:14 PM

It is running as we speak (so to speak)...So far it has detected TWO Trojans (Download 50161 and Startpage 1505). It will be at it for at least another hour and I will update when it completes.

#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:18 PM

Posted 29 December 2009 - 11:15 PM

Normally Dr. Web scans can take around 5 hours. I will be waiting for the results
Computer Pro

#5 Qwazert

Qwazert
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 30 December 2009 - 01:47 AM

About 2/3 of the way through the DrWeb COMPLETE scan, Avira woke up and found two more Trojans in my System Restore files...and DrWeb went right past them!


...still awaiting the DrWeb scan to complete!


5 HOURS????? I could have re-formatted and re-loaded in less time!

Edited by Qwazert, 30 December 2009 - 02:33 AM.


#6 Qwazert

Qwazert
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 30 December 2009 - 03:37 AM

OK...here is the DrWeb scan report:

4b56c21a.qua/data001\___\googletoolbar.exe;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4b56c21a.qua/data001;Trojan.DownLoad.50161;;
data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Archive contains infected objects;;
4b56c21a.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
RegUBP2b-Daddy.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;

And the result of MalwareByte's Quick Scan:

Malwarebytes' Anti-Malware 1.42
Database version: 3453
Windows 5.1.2600 Service Pack 3, v.5857
Internet Explorer 8.0.6001.18702

12/30/2009 12:30:54 AM
mbam-log-2009-12-30 (00-30-54).txt

Scan type: Quick Scan
Objects scanned: 107060
Time elapsed: 6 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I am going to run another FULL scan with MBAM and see what gives. In the meantime, I am concerned as to WHY my AVIRA didn't catch the infections as they were happening and secondly, why DrWeb missed the additional 5 Trojans that Avira "suddenly" found during a DrWeb scan.

#7 Qwazert

Qwazert
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 30 December 2009 - 09:33 AM

MBAM's FULL scan reveals:

Malwarebytes' Anti-Malware 1.42
Database version: 3454
Windows 5.1.2600 Service Pack 3, v.5857
Internet Explorer 8.0.6001.18702

12/30/2009 6:26:50 AM
mbam-log-2009-12-30 (06-26-50).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 179352
Time elapsed: 43 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SO...am I "safe" now?
Why should I trust these results when other antivirus scanners and spyware detectors had told me earlier that I had no infections? How did this virus/trojan get past Avira AND Spyware Blaster to begin with?

#8 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:18 PM

Posted 30 December 2009 - 02:55 PM

We should be able to trust these results. Not all anti-malware products can detect what others can. So one is not 100% fool-proof.

Let's run one final scan to be sure your clean, it also can take awhile.

Ok, please follow the instructions here for running the ESET online scanner:

Please perform a scan with ESET Online Scanner
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista Users be sure to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You will see the Terms of Use. Tick the check-box in front of YES, I accept the Terms of Use

Now click Start.

You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Insall ActiveX component.

A new window will appear asking "Do you want to install this software?" (OnlineScanner.cab)".
Answer Yes to install and download the ActiveX controls that allows the scan to run.

Click Start. (the Onlinescanner will now prepare itself for running on your pc)

To do a full-scan, check: "Remove found threats" and "Scan potentially unwanted applications"
Press Scan to start the online scan. (this could take some time to complete)
When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software. Just close the window.

Now click Start > Run... > type: C:\Program Files\EsetOnlineScanner\log.txt

The scan results will open in Notepad.

Copy and paste the log results in your next reply.


Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn\ them back on after you are finished.
Computer Pro

#9 Qwazert

Qwazert
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 30 December 2009 - 10:24 PM

Results of ESET scan:

C:\System Volume Information\_restore{B353B257-FF31-40ED-8B3D-796194922ED4}\RP624\A0134105.exe Win32/Adware.ADON application deleted - quarantined

Subsequent Panda Anti-Rootkit scan reveals no issues. Likewise for Malwarebytes...SuperAntiSpyware did detect a Trojan in an older archive that all of the others missed!
Will also scan for Trojans soon.

Edited by Qwazert, 31 December 2009 - 12:02 AM.


#10 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:18 PM

Posted 31 December 2009 - 11:41 AM

Are things running well now?
Computer Pro

#11 Qwazert

Qwazert
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 31 December 2009 - 07:51 PM

Seems to be...nothing is showing up on any scan now.

Thanks for your help...Happy New Year to you and yours!

#12 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:18 PM

Posted 01 January 2010 - 12:58 PM

Happy New Year to you also.

Now if everything is good then:

Create a new Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
Go to Start > Programs > Accessories > System Tools and click "System Restore".
Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Then use Disk Cleanup to remove all but the most recently created Restore Point.
Go to Start > Run and type: Cleanmgr
Click "Ok"
Disk Cleanup will scan your files for several minutes, then open.
Click the "More Options" Tab.
Click the "Clean up" button under System Restore.
Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
Click Yes, then click Ok.
Click Yes again when prompted with "Are you sure you want to perform these actions?"
Disk Cleanup will remove the files and close automatically.
Computer Pro

#13 Qwazert

Qwazert
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 01 January 2010 - 05:16 PM

I already did this, but thanks for the heads-up!

Again...thank you and this wonderful forum for the outstanding service! I have mentioned your site in several other forums.

#14 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:18 PM

Posted 02 January 2010 - 03:16 PM

Your very welcome. Also thanks for the mention!
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users