Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think im infected


  • Please log in to reply
14 replies to this topic

#1 pimpfelix

pimpfelix

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 22 March 2010 - 01:14 AM

Hey guys, I think im infected with some sort of virus or trojan. I clean things up with SuperAntiSpyware and Malwarebytes but somethings keeps coming back within a day or two. Today I randomly got XP Antivirus software. I cleared it with Superantispy but im sure i'm going to get something new within a day or two. This is without even touching my desktop pc. I'm running Windows Xp. Can someone please help me out. I have Nod32 Antivirus and windows xp is saying I have no antivirus installed. Please help me out.

BC AdBot (Login to Remove)

 


#2 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:11:52 AM

Posted 22 March 2010 - 01:32 PM

Can you please post both your Malwarebytes and SuperAntispyware logs.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#3 pimpfelix

pimpfelix
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 22 March 2010 - 01:54 PM

I'm running them again. Give me a few minutes and I will have these up for you .

#4 pimpfelix

pimpfelix
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 22 March 2010 - 01:56 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/21/2010 at 11:06 AM

Application Version : 4.34.1000

Core Rules Database Version : 4705
Trace Rules Database Version: 2517

Scan type : Quick Scan
Total Scan Time : 00:10:43

Memory items scanned : 546
Memory threats detected : 1
Registry items scanned : 515
Registry threats detected : 0
File items scanned : 8529
File threats detected : 4

Trojan.Agent/Gen-RogueAV
C:\DOCUMENTS AND SETTINGS\FELIX\LOCAL SETTINGS\APPLICATION DATA\AVE.EXE
C:\DOCUMENTS AND SETTINGS\FELIX\LOCAL SETTINGS\APPLICATION DATA\AVE.EXE
C:\WINDOWS\Prefetch\AVE.EXE-323DA2FE.pf

Trojan.Agent/Gen-Rogue[AV]
C:\DOCUMENTS AND SETTINGS\FELIX\LOCAL SETTINGS\APPLICATION DATA\AV.EXE
C:\WINDOWS\Prefetch\AV.EXE-02E33369.pf

#5 pimpfelix

pimpfelix
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 22 March 2010 - 01:58 PM

I'm running Malwarebytes. I tried to run it last night and my computer crashed while it was scanning. Seemed like explorer.exe shutdown I was at a light blue screen with no icons and Alt.Cntrl.Del was not working. I had to power cycle the computer. Hopefully this wont happen right now.

#6 pimpfelix

pimpfelix
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 22 March 2010 - 02:00 PM

This was a scan from 03/03/2010 I did with SuperAntiSpy if it helps.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/03/2010 at 07:11 PM

Application Version : 4.34.1000

Core Rules Database Version : 4637
Trace Rules Database Version: 2449

Scan type : Quick Scan
Total Scan Time : 00:18:31

Memory items scanned : 566
Memory threats detected : 0
Registry items scanned : 518
Registry threats detected : 8
File items scanned : 8737
File threats detected : 8

Adware.Tracking Cookie
C:\Documents and Settings\Felix\Cookies\felix@ad.yieldmanager[2].txt
C:\Documents and Settings\Felix\Cookies\felix@soundclick[2].txt
C:\Documents and Settings\Felix\Cookies\felix@content.yieldmanager[1].txt
C:\Documents and Settings\Felix\Cookies\felix@www.soundclick[1].txt
C:\Documents and Settings\Felix\Cookies\felix@collective-media[1].txt
C:\Documents and Settings\Felix\Cookies\felix@cms.trafficmp[1].txt
C:\Documents and Settings\Felix\Cookies\felix@trafficmp[2].txt
C:\Documents and Settings\Felix\Cookies\felix@ad.wsod[2].txt

Rogue.Component/Trace
HKLM\Software\Microsoft\24A35611
HKLM\Software\Microsoft\24A35611#24a35611
HKLM\Software\Microsoft\24A35611#Version
HKLM\Software\Microsoft\24A35611#24a3fb91
HKLM\Software\Microsoft\24A35611#24a39274

Trojan.Agent/Gen-Alureon
HKU\.DEFAULT\Software\h8srt
HKU\S-1-5-21-1606980848-287218729-839522115-1003\Software\h8srt
HKU\S-1-5-18\Software\h8srt

Edited by pimpfelix, 22 March 2010 - 02:00 PM.


#7 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:11:52 AM

Posted 22 March 2010 - 02:01 PM

If for some reason Malwarebytes seems to blue screen your computer, please run Rkill.

First, Download rkill.com to your desktop.

Double-click on the rkill.com in order to automatically attempt to stop any processes associated with Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by these Rogue programs when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate these Rogue Programs. So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of the instructions.

Once rkill has run please re-run MBAM and post your logs. If you are prompted to reboot by Malwarebytes, please do so immediately.

Edited by techextreme, 22 March 2010 - 02:02 PM.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#8 pimpfelix

pimpfelix
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 22 March 2010 - 02:16 PM

Malwarebytes' Anti-Malware 1.44
Database version: 3900
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/22/2010 12:15:14 PM
mbam-log-2010-03-22 (12-15-14).txt

Scan type: Quick Scan
Objects scanned: 150024
Time elapsed: 6 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Felix\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Malwarebytes ran fine. I did not need to use Rkill

#9 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:11:52 AM

Posted 22 March 2010 - 02:21 PM

Ok. Let's re-run Superantispyware after updating it and post your logs from the scan.

Let's also check Firefox for any goodies that aren't supposed to be there.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#10 pimpfelix

pimpfelix
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 22 March 2010 - 02:26 PM

GooredFix by jpshortstuff (08.01.10.1)
Log created at 12:26 on 22/03/2010 (Felix)
Firefox version 3.0.18 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [01:59 07/04/2009]

C:\Documents and Settings\Felix\Application Data\Mozilla\Firefox\Profiles\on98a63j.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [16:54 01/09/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [02:53 04/02/2009]

-=E.O.F=-

#11 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:11:52 AM

Posted 22 March 2010 - 02:31 PM

GooredFix looks good. Just .NET extensions loaded for FireFox.

I'll wait for your logs from your rescan with SuperAntiSpyware.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#12 pimpfelix

pimpfelix
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 22 March 2010 - 02:41 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/22/2010 at 12:39 PM

Application Version : 4.34.1000

Core Rules Database Version : 4710
Trace Rules Database Version: 2522

Scan type : Quick Scan
Total Scan Time : 00:14:11

Memory items scanned : 630
Memory threats detected : 0
Registry items scanned : 531
Registry threats detected : 0
File items scanned : 8341
File threats detected : 3

Adware.Tracking Cookie
C:\Documents and Settings\Felix\Cookies\felix@cms.trafficmp[1].txt
C:\Documents and Settings\Felix\Cookies\felix@trafficmp[2].txt
C:\Documents and Settings\Felix\Cookies\felix@ads.gmodules[2].txt

#13 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:11:52 AM

Posted 22 March 2010 - 02:44 PM

Ok. Let's do a few more things and then tell me how your computer is running.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.


Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link

* Save any unsaved work. TFC will close ALL open programs including your browser!
* Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
* Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
* TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
* Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#14 pimpfelix

pimpfelix
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 22 March 2010 - 03:05 PM

All done..

Anything I can use to prevent this from happening? Why doesnt Windows XP see Nod32 Antivirus as installed. It say no antivirus installed

#15 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:11:52 AM

Posted 23 March 2010 - 07:16 AM

Av.exe is associated with the malware listed here. In the process of infecting your computer, it overrides the keys in the registry that tell windows you have an antivirus program installed. The easiest way to repair this would be to reinstall NOD32 on your machine.

There are a few things you can do to prevent these things from happening again.

One essential part is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vulnerable. It is best if you have these set to download automatically.

Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the internet.
  • Click Apply then OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In addition to Windows updates, you also need to ensure that your version of Java is the latest.Click here to download the latest version (Java Runtime Environment (JRE) 6 Update 18). Once downloaded, install it and then Reboot your computer.

It is most important that you also uninstall older versions of Java.
  • Click Start, Control Panel, Add/Remove Programs.
  • Delete all Java updates except Java ™ 6 Update 18
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You already have Malwarebytes and SuperAntiSpyware on your computer. These are two very good programs form removing these wonderful little nasties that are on the internet. Keep them up to date and run them occasionally.

If you are using any type of Torrent software, I would strongly recommend against using it. These are Peer to Peer ( aka P2P ) programs and pose a significant risk to your security. The two links below explain in great detail the dangers of P2P programs and why they should not be used.
Keep your antivirus up to date and be sure to use a firewall.

Happy Computing. :thumbsup:

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users