Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removed Trojans, posting the HijackThis log for confirmation


  • This topic is locked This topic is locked
14 replies to this topic

#1 aloathsomebrute

aloathsomebrute

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 18 January 2010 - 01:04 PM

Removed a couple of pesky trojans. Attached is the post clean-up log for confirmation by the trained eyes that all is well.

Please let me know if you notice something that shouldn't be there. Cheers!

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:51 AM

Posted 19 January 2010 - 05:31 AM

Hi,

* Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 aloathsomebrute

aloathsomebrute
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 19 January 2010 - 06:49 AM

Hi

Thanks for your reply. Anti-Malware is Shareware as per the link. Do I need to buy it to remove some kind of restrictions or is it free to use?

Thanks again.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:51 AM

Posted 19 January 2010 - 06:59 AM

Hi,

No, it is free to use smile.gif
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 aloathsomebrute

aloathsomebrute
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 21 January 2010 - 10:52 AM

Hi again

I ran MBAM. It found and removed a bunch of things in the first scan. Logs of scans after rebooting & running HJT and MBAM again are attached.

I am fine with the 3 MBAM warnings - have deliberately disabled all 3.

Please let me know if you notice anything else out of the ordinary in the 2 logs. Thanks!

Attached Files


Edited by aloathsomebrute, 21 January 2010 - 10:53 AM.


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:51 AM

Posted 21 January 2010 - 11:01 AM

Hi,

* Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following bold part into the Suspicious File Packer window:

C:\WINDOWS\system32\wmiprvse.exe

Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.

Then, * Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O4 - HKCU\..\Run: [winmgmt] C:\WINDOWS\system32\wmiprvse.exe
O4 - HKUS\S-1-5-18\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SSCVIHOST.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SSCVIHOST.exe (User 'Default user')


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Post a new HijackThislog in your next reply.


AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 aloathsomebrute

aloathsomebrute
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 21 January 2010 - 11:23 AM

Submitted the CAB file.

Latest HJT log after removing those 4 entries, rebooting and rescanning is attached.

Attached Files


Edited by aloathsomebrute, 21 January 2010 - 11:24 AM.


#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:51 AM

Posted 21 January 2010 - 11:35 AM

Hi,

The file was not present anymore. The cabfile only contained the txt file. I already had a feeling that the file was already gone, that's why I asked you to use suspicious file packer, just to make sure smile.gif

Anyway, your log looks OK again. How are things now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 aloathsomebrute

aloathsomebrute
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 21 January 2010 - 11:46 AM

Yes, the files SSCVIHOST.exe and wmiprvse.exe were already deleted during one of the earlier Virus scans.

Thanks for all your help!

BTW what is it exactly that the "Suspicious File Packager" do? Check the file against known "bad files"?

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:51 AM

Posted 21 January 2010 - 11:54 AM

This suspicious file packer is just a tool to make it easier for the user to collect certain samples and pack them. You can add multiple lines of filepaths in it as well.
I mainly used this one now because I wasn't sure if the file was still present. So instead of asking you to search for the file (since there's also a legitmate one in the wbem folder or the malware file could be hidden), it was better/easier for both of us to let a tool check for its presence and pack it already smile.gif

Glad I could help. smile.gif

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 aloathsomebrute

aloathsomebrute
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 21 January 2010 - 12:15 PM

I actually asked the wrong question. I figured that SFP is just archiving the file. What I meant to ask is what happens when I upload the file. Do you manually take a look at it or do you have some tools verifying the file's footprint/ hash against known good value for a legitimate file or against known miscreants?

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:51 AM

Posted 21 January 2010 - 12:47 PM

I "manually" take a look at it since I'm a malware researcher smile.gif
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 aloathsomebrute

aloathsomebrute
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 21 January 2010 - 10:49 PM

Cheers. Thanks again for your time.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:51 AM

Posted 22 January 2010 - 02:10 AM

You're most welcome smile.gif
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:51 AM

Posted 26 January 2010 - 09:40 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users