Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.Win32.Agent.pp (I've been nuked!)


  • Please log in to reply
18 replies to this topic

#1 DrNixonRenaldo

DrNixonRenaldo

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 10 January 2010 - 06:30 PM

Hello!

I just returned to school today after being home for about three weeks. My computer was off and disconnected from the internet while I was away. The school used a program called Cisco Clean Access agent to monitor network use prior to me leaving and while I was away they transitioned to a new program called SafeConnect. Relevant information incoming: When I booted up my computer today, I had to set up the SafeConnect deal before it allowed me internet access - I am not 100% positive as to how these things work, but I believe this was the start of my (computer's) demise - I think, since internet access was limited, my antivirus - McAffee ( the school requires us to use it, I know there are far better programs out there...) - was unable to update its definitions. So I proceeded to tool around online for about an hour apparently unprotected. I found a new band that I really liked but whose music was not available for downloads over iTunes, etc, as it hasn't been officially released in the U.S. yet, and so I made mistake number two - I went to the pirate bay (unless I managed to contract this from some legitimate website, or someone managed to sneak it into the thing I downloaded for the SafeConnect deal...I don't know where else this could have come from....assuming my issues stem from my pirate bay usage as of right now...even though I didn't actually try to download any music or anything...? About the infections from legitimate websites thing, I read about it here: http://www.wired.com/threatlevel/2009/10/gawker/ ). I typed the bands name into the search box and pressed enter, and nothing happened (not sure if this is relevant.) There was some link on their homepage to some other band, who was apparently choosing to purposely release their music for free over pirate bay - this looked interesting, and so I stopped my search for the other band to check it out. The page loaded fine, I read the snippet, and about 45 seconds later a window that was supposedly from McAfee popped up onto my screen saying it had found a trojan (I don't remember the name of the file, but it was something with 'gen' in it...) It looked 100% like the McAfee GUI, and I clicked the 'X' button in the upper right hand corner to close the screen. My computer proceeded to "blue screen" - I am sure that that is not a technical term, but I think you know what I am talking about, and as I don't remember, and - foolishly - didn't take any time to write down what the error messages said, I am not sure how else to describe it .

Anyway, I hard rebooted (not sure if this is the proper technical term...I held the power button down until the computer just turned off) and found, after an agonizingly slow (I usually boot in ~3 minutes, this took closer to 5), many wonderous things waiting for me - links to pornographic sites had appeared on my desktop, multiple McAfee and Windows Defender windows littered my screen (some of which looked legitimate (but so had that last one...) and some of which looked downright fake, warning me about a few different infections, the first of which was the one in my title - Rootkit.Win32.Agent.pp. I don't remember the names of the others. After I clicked the 'X' to close that first Windows Defender window, the one that had warned me about Rookit.Win32.Agent.pp, another one would appear about 15 seconds later warning me about some other malicious thing. There were also these little windows that looked like pop-up advertisements - I wasn't connected to the internet at the time - asking me to buy a piece of malware protection software. At this point, I hard rebooted once again...

I booted into safe mode and did a system restore to about 2 months ago - no problems were present then. I booted back into normal mode (in the usual amount of time) and none of the unwelcome links were on my desktop. I am not 100% certain that this next part was well-advised, but it is almost 20 below here and I am the first one back in my building - access to another computer would require significant hardship, and so....I am now creating this post from the machine that I am having these problems on - although implied, just for clarity, I feel I should say that yes, I plugged it back into the internet. I know rootkits are generally a nasty breed, but things appear to be fine, and well...I am impatient and would like to immediately get to the bottom of this or be told by an expert that things are A-OKAY.

I ran a Malwarebytes' Anti-Malware quick scan, which didn't detect anything. A full scan is running as I write this up. As for system information, here you go (sorry if this is overkill, I honestly don't know how much of this is relevant, but I figure too much information can never be a bad thing...(as far as computer problems go) anyway, I apologize if you have to sift for what you need, let me know if there would be a better way to post the info. This came from going to start-->all programs-->accessories-->system tools-->system information, and then putting that into a text file) Edit: Your forums yelled at me, informing me that my post was too long! Leaving the barebones sysinfo here and posting the rest in another post:

System Information report written at: 01/10/10 17:15:54
System Name: STATION2
[System Summary]

Item Value
OS Name Microsoft Windows XP Professional
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Name STATION2
System Manufacturer Dell Inc
System Model Dimension C521
System Type X86-based PC
Processor x86 Family 15 Model 107 Stepping 1 AuthenticAMD ~2104 Mhz
BIOS Version/Date Dell Inc 1.1.6, 4/7/2007
SMBIOS Version 2.4
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume2
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.080413-2111)"
User Name STATION2\Julie
Time Zone Central Standard Time
Total Physical Memory 2,048.00 MB
Available Physical Memory 976.40 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB
Page File Space 3.85 GB
Page File C:\pagefile.sys





I apologize if that got a bit long...I wanted to provide as much detail as possible.

Thanks in advance for any help,



Max (Yes, I know if you browse through the sysinfo the username is Julie, and my forums username is Nixon Renaldo...it is all very confusing, and very irrelevant to this thread...)

Edited by DrNixonRenaldo, 10 January 2010 - 06:35 PM.


BC AdBot (Login to Remove)

 


#2 DrNixonRenaldo

DrNixonRenaldo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 10 January 2010 - 06:37 PM

* EDIT:This log was from an old version of MBAM and is not relevant! Leaving it here just incase any information can still be ascertained from it, but there is a log from the current version (with more fun malicious goodies found!) farther down in the thread!*

Even without my writeup included, the system information post is too long to post. If there is any other info that would be helpful, please let me know. I think I have included enough already for us to get started.

That MalwareBytes Full scan is done:
Malwarebytes' Anti-Malware 1.40
Database version: 2725
Windows 5.1.2600 Service Pack 3

1/10/2010 6:22:56 PM
mbam-log-2010-01-10 (18-22-56).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 341760
Time elapsed: 1 hour(s), 54 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)









Is it possible that I was never infected with that nasty rootkit? Maybe some rogueware thing trying to get me to buy another product that was easily remedied with the system restore? I really have no idea!

Edited by DrNixonRenaldo, 10 January 2010 - 10:13 PM.


#3 roadclosed

roadclosed

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 10 January 2010 - 07:17 PM

A full scan is running as I write this up

.

Assuming you are using up- to- date definitons on the Malwarebytes program, can you post the report from that latest scan for someone to check for you?

#4 DrNixonRenaldo

DrNixonRenaldo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 10 January 2010 - 07:26 PM

A full scan is running as I write this up

.

Assuming you are using up- to- date definitons on the Malwarebytes program, can you post the report from that latest scan for someone to check for you?


/facepalm...

I used version 1.40, when apparently a version 1.44 now exists...remedying this now. You see why I need assistance now, yes?

#5 roadclosed

roadclosed

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 10 January 2010 - 07:31 PM

Once you have fully updated Malwarebytes, please reboot then run a full system scan for someone to check for you

#6 DrNixonRenaldo

DrNixonRenaldo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 10 January 2010 - 07:38 PM

Once you have fully updated Malwarebytes, please reboot then run a full system scan for someone to check for you


I have updated to version 1.44 (the latest version) and that also automatically updated the database.

Anyway, I will post the log when it finishes. The last scan took around two hours.

Edited by DrNixonRenaldo, 10 January 2010 - 09:39 PM.


#7 DrNixonRenaldo

DrNixonRenaldo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 10 January 2010 - 07:52 PM

16 minutes into the scan and four infected objects found. Trouble-be-a-brewin' :thumbsup:

#8 DrNixonRenaldo

DrNixonRenaldo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 10 January 2010 - 09:39 PM

Updated MBAM Full Scan Complete:


Malwarebytes' Anti-Malware 1.44
Database version: 3537
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/10/2010 8:28:04 PM
mbam-log-2010-01-10 (20-28-01).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 361386
Time elapsed: 1 hour(s), 51 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Julie\Local Settings\Temp\settdebugx.exe (Rogue.Installer) -> No action taken.
C:\Documents and Settings\Julie\Local Settings\Temp\wscsvc32.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Julie\Local Settings\Temp\Installer.exe (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Julie\Local Settings\Temp\H8SRTfdad.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\H8SRTd.sys (Malware.Packer) -> No action taken.
C:\Documents and Settings\Julie\Local Settings\Temp\H8SRTfd5f.tmp (Rootkit.TDSS) -> No action taken.

After creating that logfile, I hit remove, and it said it would need to restart my computer to remove all of the items. I accepted the prompt and it restarted smoothly.

I am still not feeling super safe right now. I would like to know how I contracted this(these?) and make sure that it(they?) is(are?) (all?) gone for good.

Edited by DrNixonRenaldo, 10 January 2010 - 10:11 PM.


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:20 AM

Posted 10 January 2010 - 11:53 PM

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 DrNixonRenaldo

DrNixonRenaldo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 11 January 2010 - 12:15 AM

Thanks for your help!

I need some clarification as to how to setup the SAS scanner options: I wasn't sure if you wanted me to check those three items you listed and then UNCHECK all the others, or if you wanted me to check those three you listed and then leave the others as they were initially.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:20 AM

Posted 11 January 2010 - 12:18 AM

No problem'
make sure the following are checked (leave all others unchecked):

or YES to this
wanted me to check those three items you listed and then UNCHECK all the others,
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 DrNixonRenaldo

DrNixonRenaldo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 11 January 2010 - 02:32 AM

I have done as you instructed, here are the results:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/11/2010 at 01:18 AM

Application Version : 4.33.1000

Core Rules Database Version : 4463
Trace Rules Database Version: 2284

Scan type : Complete Scan
Total Scan Time : 01:51:55

Memory items scanned : 216
Memory threats detected : 0
Registry items scanned : 6744
Registry threats detected : 1
File items scanned : 216542
File threats detected : 104

Adware.IWinGames
HKU\S-1-5-21-530765470-51562960-1903129366-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8CA5ED52-F3FB-4414-A105-2E3491156990}

Adware.Tracking Cookie
C:\Documents and Settings\Julie\Cookies\julie@2o7[2].txt
C:\Documents and Settings\Julie\Cookies\julie@fastclick[1].txt
C:\Documents and Settings\Julie\Cookies\julie@ads.undertone[1].txt
C:\Documents and Settings\Julie\Cookies\julie@doubleclick[2].txt
C:\Documents and Settings\Julie\Cookies\julie@smartadserver[2].txt
C:\Documents and Settings\Julie\Cookies\julie@revsci[1].txt
C:\Documents and Settings\Julie\Cookies\julie@adlegend[2].txt
C:\Documents and Settings\Julie\Cookies\julie@atdmt[2].txt
C:\Documents and Settings\Julie\Cookies\julie@collective-media[1].txt
C:\Documents and Settings\Julie\Cookies\julie@ad.yieldmanager[1].txt
C:\Documents and Settings\Julie\Cookies\julie@dmtracker[1].txt
C:\Documents and Settings\Julie\Cookies\julie@youporn[2].txt
C:\Documents and Settings\Julie\Cookies\julie@burstnet[2].txt
C:\Documents and Settings\Julie\Cookies\julie@media6degrees[1].txt
C:\Documents and Settings\Julie\Cookies\julie@perf.overture[2].txt
C:\Documents and Settings\Julie\Cookies\julie@ads-dev.youporn[2].txt
C:\Documents and Settings\Julie\Cookies\julie@imrworldwide[2].txt
C:\Documents and Settings\Admin\Cookies\admin@112.2o7[2].txt
C:\Documents and Settings\Admin\Cookies\admin@a.findarticles[2].txt
C:\Documents and Settings\Admin\Cookies\admin@ad.interclick[2].txt
C:\Documents and Settings\Admin\Cookies\admin@ad.lookery[2].txt
C:\Documents and Settings\Admin\Cookies\admin@ad.srving[2].txt
C:\Documents and Settings\Admin\Cookies\admin@ad.turn[1].txt
C:\Documents and Settings\Admin\Cookies\admin@adcache.cycletrader[1].txt
C:\Documents and Settings\Admin\Cookies\admin@adinterax[1].txt
C:\Documents and Settings\Admin\Cookies\admin@adlegend[2].txt
C:\Documents and Settings\Admin\Cookies\admin@adopt.specificclick[2].txt
C:\Documents and Settings\Admin\Cookies\admin@ads.addynamix[2].txt
C:\Documents and Settings\Admin\Cookies\admin@ads.bridgetrack[1].txt
C:\Documents and Settings\Admin\Cookies\admin@ads.cnn[1].txt
C:\Documents and Settings\Admin\Cookies\admin@ads.cnn[2].txt
C:\Documents and Settings\Admin\Cookies\admin@ads.comicskingdom[2].txt
C:\Documents and Settings\Admin\Cookies\admin@ads.fredericksburg[2].txt
C:\Documents and Settings\Admin\Cookies\admin@ads.ireport[1].txt
C:\Documents and Settings\Admin\Cookies\admin@ads.nba[1].txt
C:\Documents and Settings\Admin\Cookies\admin@ads.pointroll[2].txt
C:\Documents and Settings\Admin\Cookies\admin@ads.revsci[1].txt
C:\Documents and Settings\Admin\Cookies\admin@ads.traderonline[1].txt
C:\Documents and Settings\Admin\Cookies\admin@ads.us.e-planning[1].txt
C:\Documents and Settings\Admin\Cookies\admin@ads.widgetbucks[1].txt
C:\Documents and Settings\Admin\Cookies\admin@ads.writing[1].txt
C:\Documents and Settings\Admin\Cookies\admin@ads2.airamerica[2].txt
C:\Documents and Settings\Admin\Cookies\admin@adserver.adtechus[1].txt
C:\Documents and Settings\Admin\Cookies\admin@adserving.autotrader[1].txt
C:\Documents and Settings\Admin\Cookies\admin@afe.specificclick[1].txt
C:\Documents and Settings\Admin\Cookies\admin@anad.tacoda[1].txt
C:\Documents and Settings\Admin\Cookies\admin@anat.tacoda[2].txt
C:\Documents and Settings\Admin\Cookies\admin@at.atwola[2].txt
C:\Documents and Settings\Admin\Cookies\admin@atlas.fixionmedia[1].txt
C:\Documents and Settings\Admin\Cookies\admin@atwola[2].txt
C:\Documents and Settings\Admin\Cookies\admin@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\Admin\Cookies\admin@azjmp[1].txt
C:\Documents and Settings\Admin\Cookies\admin@bizrate[2].txt
C:\Documents and Settings\Admin\Cookies\admin@bravenet[1].txt
C:\Documents and Settings\Admin\Cookies\admin@chitika[1].txt
C:\Documents and Settings\Admin\Cookies\admin@collective-media[1].txt
C:\Documents and Settings\Admin\Cookies\admin@counter.surfcounters[1].txt
C:\Documents and Settings\Admin\Cookies\admin@crackheadjesus[1].txt
C:\Documents and Settings\Admin\Cookies\admin@crackle[1].txt
C:\Documents and Settings\Admin\Cookies\admin@dmtracker[1].txt
C:\Documents and Settings\Admin\Cookies\admin@dynamic.media.adrevolver[2].txt
C:\Documents and Settings\Admin\Cookies\admin@edge.ru4[1].txt
C:\Documents and Settings\Admin\Cookies\admin@ehg-findlaw.hitbox[1].txt
C:\Documents and Settings\Admin\Cookies\admin@ehg-groupernetworks.hitbox[1].txt
C:\Documents and Settings\Admin\Cookies\admin@ehg-traderpublishing.hitbox[2].txt
C:\Documents and Settings\Admin\Cookies\admin@findarticles[1].txt
C:\Documents and Settings\Admin\Cookies\admin@findingsingles[1].txt
C:\Documents and Settings\Admin\Cookies\admin@imrworldwide[2].txt
C:\Documents and Settings\Admin\Cookies\admin@insightexpressai[2].txt
C:\Documents and Settings\Admin\Cookies\admin@interclick[2].txt
C:\Documents and Settings\Admin\Cookies\admin@kontera[2].txt
C:\Documents and Settings\Admin\Cookies\admin@l1.qsstats[1].txt
C:\Documents and Settings\Admin\Cookies\admin@media.adrevolver[3].txt
C:\Documents and Settings\Admin\Cookies\admin@media.mtvnservices[1].txt
C:\Documents and Settings\Admin\Cookies\admin@media6degrees[2].txt
C:\Documents and Settings\Admin\Cookies\admin@mediapredict[1].txt
C:\Documents and Settings\Admin\Cookies\admin@microsoftconsumermarketing.112.2o7[1].txt
C:\Documents and Settings\Admin\Cookies\admin@nextag[2].txt
C:\Documents and Settings\Admin\Cookies\admin@precisionclick[1].txt
C:\Documents and Settings\Admin\Cookies\admin@qnsr[1].txt
C:\Documents and Settings\Admin\Cookies\admin@realnetworks.112.2o7[1].txt
C:\Documents and Settings\Admin\Cookies\admin@richmedia.yahoo[2].txt
C:\Documents and Settings\Admin\Cookies\admin@rotator.adjuggler[1].txt
C:\Documents and Settings\Admin\Cookies\admin@s.clickability[1].txt
C:\Documents and Settings\Admin\Cookies\admin@server.iad.liveperson[2].txt
C:\Documents and Settings\Admin\Cookies\admin@server.iad.liveperson[3].txt
C:\Documents and Settings\Admin\Cookies\admin@server.iad.liveperson[4].txt
C:\Documents and Settings\Admin\Cookies\admin@socialmedia[1].txt
C:\Documents and Settings\Admin\Cookies\admin@specificclick[1].txt
C:\Documents and Settings\Admin\Cookies\admin@specificmedia[1].txt
C:\Documents and Settings\Admin\Cookies\admin@stat.onestat[2].txt
C:\Documents and Settings\Admin\Cookies\admin@stats.gamestop[2].txt
C:\Documents and Settings\Admin\Cookies\admin@timeinc.122.2o7[1].txt
C:\Documents and Settings\Admin\Cookies\admin@tracking.foundry42[2].txt
C:\Documents and Settings\Admin\Cookies\admin@tracking.foundry42[3].txt
C:\Documents and Settings\Admin\Cookies\admin@tripod[1].txt
C:\Documents and Settings\Admin\Cookies\admin@usnews.122.2o7[1].txt
C:\Documents and Settings\Admin\Cookies\admin@viacom.adbureau[1].txt
C:\Documents and Settings\Admin\Cookies\admin@www.burstbeacon[2].txt
C:\Documents and Settings\Admin\Cookies\admin@www.burstnet[1].txt
C:\Documents and Settings\Admin\Cookies\admin@www.clickmanage[2].txt
C:\Documents and Settings\Admin\Cookies\admin@www.googleadservices[1].txt
C:\Documents and Settings\Admin\Cookies\admin@www.mlsfinder[2].txt
C:\Documents and Settings\Admin\Cookies\admin@www.mlsfinder[3].txt

I am definitely not an attendee of crackheadjesus or youporn, etc...where are these coming from?

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:20 AM

Posted 11 January 2010 - 11:31 AM

hello,trust me I never fret the nicknames..
You have and were and may still be infected by one of the nastiest TDDS culprits. It is the nature of this to steal info mation and use your machine to contact the outside world. It sends more malware in and send personnal info out.

This what I will tell everyone when I see this.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 DrNixonRenaldo

DrNixonRenaldo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 11 January 2010 - 04:16 PM

I've needed a new computer for a while anyway and am using this as an excuse to finally spend the money. I backed up my files less than 5 weeks ago, and although it's a bit of a bummer - I will lose a bit of stuff - nothing crucial will be lost.

Still, I would very much like to know what I did that allowed me to become infected like this.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:20 AM

Posted 11 January 2010 - 04:36 PM

Hi, I suspect the torrent download.. easily too was the time spent surf with an A/V/. They say it only takes minutes now to get infected like that.

Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.

==============================

2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.

Since we don't know exactly which infections we're dealing with here, we should take some precautions before we attempt to move files from the infected machine. Run the following on your clean computer, and make sure you insert your flash drives at the prompt.
Download and Run FlashDisinfector

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users