Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible infection


  • Please log in to reply
16 replies to this topic

#1 pcneedy

pcneedy

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:48 PM

Posted 21 February 2010 - 12:49 PM

Hi,
Iam running Avast Home and it found a couple of files it marked with "infected". It moved them to the virus vault but I wonder if there is something that was using these files that wasnt detected. Paranoia? The files that Avast found were:

1. BIT1A.tmp
2. BIT7.tmp
3. BITA.TMP
4. BITB.TMP
5. BITB.TMP
It also found some system files:

1. Kernel32.dll
2. Kernel32.dll
3. winsock.dll
4. Wsock32.dll

Is there a way to check and make sure that there isn't any other problems?

Thanks

BC AdBot (Login to Remove)

 


#2 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 22 February 2010 - 01:20 AM

Hello :thumbsup:
A good place to start is by scanning with Malwarebytes'.

How to use Malwarebytes' Anti-Malware to scan and remove malware from your computer
Posted by Grinler on February 16, 2010

http://www.bleepingcomputer.com/virus-remo...alware-tutorial

See post by quietman7 (Global Moderator):
For those having trouble running Malwarebytes Anti-Malware
http://www.bleepingcomputer.com/forums/t/267354/for-those-having-trouble-running-malwarebytes-anti-malware/

When you reply, please copy/paste the results of the Malwarebytes' scan into your post.
If we don't change the direction we are going,
We are likely to end up where we are headed.

#3 pcneedy

pcneedy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:48 PM

Posted 22 February 2010 - 06:16 PM

Thank you for your reply. I ran the Malware Bytes program and it came up clean. Does this mean the I am clean and worry free?

#4 pcneedy

pcneedy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:48 PM

Posted 22 February 2010 - 06:18 PM

Sorry, Here is the log from the scan:

Malwarebytes' Anti-Malware 1.44
Database version: 3777
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

2/22/2010 6:06:03 PM
mbam-log-2010-02-22 (18-06-03).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 168075
Time elapsed: 30 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 22 February 2010 - 08:21 PM

I wish I could say with all certainty that you are infection free, but at this point, all we know for sure is that Malwarebytes' did not find anything.

Do you know what specifically avast! found ? (Specific name(s) would be helpful.)

Get the free program CCleaner:
http://www.ccleaner.com/
(use the Cleaner tool)
(It is a good program, it's free, I use it DAILY):
It not only cleans your computer, it also has a Registry tool that will check for/fix registry errors, and it also has an "uninstall programs" tool and a "startup" tool (you can remove items from Startup).
There is a tour, see what the program does, look at the screen shots.

Just in case there are any "bad things" running on your computer, run Rkill first, then scan with SUPERAntiSyware.

Download Rkill (free program) from here:
http://www.technibble.com/rkill-repair-tool-of-the-week/
(description of program copied/pasted from technibble.com website)
"Rkill is a small, freeware and portable tool designed to terminate active malware processes allowing you to use other removal tools. Rkill is made by a Microsoft MVP “Lawrence Abrams” and is available in 4 different extensions. An .EXE, .COM, .SCR and a .PIF file.
The reason why Rkill comes in 4 different versions is because some malware will block .EXE files in an attempt to prevent you from running other malware removal tools, so this gets around that problem."

SUPERAntiSpyware (also free):
http://www.superantispyware.com/

---------------------------------------------------------------------------------------------------------------------

Below are the instructions to do an ESET online scan: (given to me by etavares, a member of the Malware Response Team)

I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


-------------------------------------------------------------------------------------------------------------

Please reply back with:
the results of the SUPERAntiSpyware scan (copy/paste the log into your next reply), along with the results of the ESET scan as well, and if possible, specific name(s) of what avast! found.

If we don't change the direction we are going,
We are likely to end up where we are headed.

#6 pcneedy

pcneedy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:48 PM

Posted 22 February 2010 - 09:12 PM

I am downloading the 2 programs now but it will take a while since I have Dial-up.Will the online scan be a problem on dial-up? The files that avast found were listed on the first page. They were the ones that I moved to the virus chest since they were locked from the resident protection scanner.

#7 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 22 February 2010 - 10:53 PM

Hello :thumbsup:
You're right, my bad, you DID list them in your orig post, sorry about that.
When I originally replied to your post the first time, I had done a search on the "Bit" files, and the search results yielded several possible infections, meaning there was no single definitive answer on WHICH infection(s)...
That's why I don't want to declare you infection free without seeing the results of other reputable scans.

The online scan should still run on a dial-up connection, it just won't get done at Warp Speed 9.

Please reply back with the results.
Thanks :flowers:
If we don't change the direction we are going,
We are likely to end up where we are headed.

#8 pcneedy

pcneedy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:48 PM

Posted 23 February 2010 - 11:38 AM

I have never used an online scanner before. Is there any chance of information theft such as passwords, information on documents, ssn stuff, or anything of that nature?

#9 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 23 February 2010 - 01:57 PM

When the integrity of a computer has become "compromised", and "bad things" have made their way into the computer, the possibility exists that "sensitive" information could be transmitted, or may have ALREADY been transmitted.

The only way to guarantee that will not happen, is to not have an internet connection to that computer, period.

The nature of doing an online scan is not in and of ITSELF dangerous.
Having an active internet connection attached to an infected computer is the dangerous part.


When doing financial transactions, or other "sensitive/confidential" tasks, it is important to take all necessary precautions, such as only using SECURE sites (example 128 bit ssl encryption, having and using the proper protection (firewall, antivirus), close browsers upon completion of task, emptying all cache files (doing "clean out", etc.)

Doing the ESET online scan is not any more dangerous than using the infected computer to access the internet to download malware removal programs.

The following information was provided to me by etavares, (a member of the Malware Response Team):
"If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation."
If we don't change the direction we are going,
We are likely to end up where we are headed.

#10 pcneedy

pcneedy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:48 PM

Posted 23 February 2010 - 05:48 PM

I ran the rkill then superantispyware and here is the log:


Application Version : 4.34.1000

Core Rules Database Version : 4613
Trace Rules Database Version: 2425

Scan type : Complete Scan
Total Scan Time : 00:21:35

Memory items scanned : 403
Memory threats detected : 0
Registry items scanned : 3735
Registry threats detected : 0
File items scanned : 24302
File threats detected : 54

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media6degrees[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@clickbank[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@xiti[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@specificclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@statse.webtrendslive[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@burstbeacon[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@data.coremetrics[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@discountcell[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@at.atwola[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@chitika[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@dmtracker[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstbeacon[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@invitemedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@content.yieldmanager[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.undertone[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@kontera[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.infinisource[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@pointroll[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.googleadservices[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@qualitygolfstats[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@microsoftsto.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adlegend[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.discountcell[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@collective-media[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.bridgetrack[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@intermundomedia[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@content.yieldmanager[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ext-us.bestofmedia[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@zedo[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstnet[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@indigio.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@smartadserver[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@insightexpressai[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[2].tx

I also ran the Avast again and it found:
SFX_0013._P
SFX_0008._P
SFX_0011._p

Could all of these be windows update files? My system is downloading a large windows update for the past several days. I will try the online scanner later tonight during a non peak time.

#11 pcneedy

pcneedy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:48 PM

Posted 23 February 2010 - 08:27 PM

I finished the eset online scanner and at the end it said "No Threats Found". There wasn't any "List of threats found".

#12 pcneedy

pcneedy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:48 PM

Posted 23 February 2010 - 08:31 PM

Another question maybe not pertinent to the subject...You said that you use CCleaner and so do I. Just downloaded the new update. What tabs do you suggest that I tick on the windows tab to improve security when cleaning? I'm running XP Pro.

#13 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 23 February 2010 - 09:29 PM

Hello :thumbsup:
Excellent news that the ESET online scan found zero infections! :flowers:

Malwarebytes, SUPERAntiSpyware, and ESET online scanner are reputable, and now that all scans confirm zero infections found, you can breathe a sigh of relief (for the moment) :trumpet: Just don't become TOO complacent, because keeping your computer infection free does require some degree of vigilance on your part.

The files that were found by SUPERAntiSpyware were cookies, that's just a sign that doing regular "clean out" is a good idea.

I honestly have no idea what the files were that Avast found, but when I did a Google search on one of the file names, the only search result it brought up was all in something might have been Chinese characters.

I do need to let you know that this afternoon I learned (from a Global Moderator on this site, whose knowledge and experience I have a great deal of respect for) it is NOT a good idea to use CCleaner, and that the bleepingcomputer website does NOT recommend the use of CCleaner, or any other automated registry cleaner program.
The reason for this is because using these types of programs can cause problems.
I trust that advice, and encourage you to as well, because I want you to have the BEST (and safest) help there is.

The bleepingcomputer website DOES recommend the use of ATF Cleaner.
I have used that program, and it does a good job.
It's free, and you can get it here:
http://www.atribune.org/index.php?option=c...5&Itemid=25
The following is copied/pasted from atribune's website:
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Notes for Windows Vista users:
On Windows Vista that "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator"


-----------------------------------------------------------------------------------
I'm going to point you in the direction of some EXCELLENT information, that will be of tremendous benefit to you.
It's a whole lot easier to take the proper precautions, and it takes less time and effort to do that, than it does to fix infections, which can be quite ugly and stubborn to remove.

Do take the time to read these:

How Malware Spreads - How did I get infected
by quietman7 (Global Moderator)

http://www.bleepingcomputer.com/forums/t/287710/how-malware-spreads-how-did-i-get-infected/

How did I get infected?, With steps so it does not happen again!
by Grinler (Admin)

http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/

The Ten Most Dangerous Things Users Do Online
by quietman7 (Global Moderator)

http://www.bleepingcomputer.com/forums/t/69440/the-ten-most-dangerous-things-users-do-online/


:inlove:
If we don't change the direction we are going,
We are likely to end up where we are headed.

#14 pcneedy

pcneedy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:48 PM

Posted 24 February 2010 - 06:52 PM

HI again,
I wanted to make sure that the online scanner completed its scan because it may have ended abruptly not quite sure. But it came up and said that no threats were found anyway. So I went to run it again and when I get to the part where I have to allow thew install of the activex, a window opens and says the the page needs to be refreshed and I would have to send the information again. Then a security window opens and says:

Windows has blocked this software because it can't verify the publisher
Name: online scanner
Publisher:unknown publisher

Could this be a problem? or is there something that needs a tweak.

#15 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 24 February 2010 - 08:54 PM

I could be wrong, but it SOUNDS like a firewall is stopping it.
Are you using Windows firewall ? Do you have a different firewall program ?
If we don't change the direction we are going,
We are likely to end up where we are headed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users