Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help with x.exe


  • Please log in to reply
15 replies to this topic

#1 kennzsniper

kennzsniper

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 AM

Posted 25 March 2010 - 07:18 AM

I recently been having an issue with x.exe being detected by MBAM.

Malwarebytes can seem to detect the malware and it only quarantine this. Malwarebytes also detected 126.exe, blaze.exe.
I downloaded and Spybot search and destroy and found x.exe. Upon restarting the same thing comes up.
Running combofix does not help due it can't remove it.
Smitfraudfix locks up as well.
HJT detects a couple of runonces, perhaps I need to remove them.
Running autoruns does not seem to help due to most of the things listed on my computer are publisher verified.


Now I need your help to resolve this issue altogether.

I am at the office right now thinking what to do.

I am planning to do the following and I need your advise if they are advisable.

1. Uninstall MBAM and reinstall it.
2. Use QuickSmash - perhaps it can help.
3. Redownload combofix and smitfraudfix and run them in safe mode.
4. Use Prevx -- I don't really want to go this route due to im cheap and would like to resolve this without spending anything ^_^.
5. Go for Kaspersky and use it ( i don't really want to do this due to I am OC in terms of CPU resources )

I will post updates once I get home. In the meantime your opinion would be of great help.

Edited by kennzsniper, 25 March 2010 - 08:05 AM.

Hardware tech when I was in college.
1st job was a network support for SOHO
2nd job was lappy tech
3rd Job way out of my league but its nice...

BC AdBot (Login to Remove)

 


#2 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:09:19 PM

Posted 25 March 2010 - 10:41 AM

Please post the logs from your Malwarebytes run.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#3 kennzsniper

kennzsniper
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 AM

Posted 25 March 2010 - 01:33 PM

I came home and went to battle.

I downloaded the following in safe mode.

QUICKSMASH -
ComboFix - renamed
SmitFraudFix - renamed
MBAM -
SAS

Did the following:
1. Ran Quicksmash restarted pc
2. Ran MBAM - found a couple - Restart - Safe mode again
3. Ran SmitFraudFix - a couple of files got deleted - Restarted
4. Ran combofix - restarted
5. Uninstalled, restarted and reinstalled MBAM with updates.
6. Boot at safe mode and found rootkits that somehow MBAM can not remove.
7. Installed SAS, updated and scanned in safe mode. Restarted. - removed tons of stuff.
8. Ran MBAM and HJT.


Latest MBAM logs

Malwarebytes' Anti-Malware 1.44
Database version: 3913
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

3/26/2010 2:28:11 AM
mbam-log-2010-03-26 (02-28-11).txt

Scan type: Quick Scan
Objects scanned: 193241
Time elapsed: 3 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



I am running SAS again and we will see what happens.
Running time 3 hours....

Edited by kennzsniper, 25 March 2010 - 02:10 PM.

Hardware tech when I was in college.
1st job was a network support for SOHO
2nd job was lappy tech
3rd Job way out of my league but its nice...

#4 kennzsniper

kennzsniper
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 AM

Posted 25 March 2010 - 01:53 PM

Latest MBAM logs.

Malwarebytes' Anti-Malware 1.44
Database version: 3913
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

3/26/2010 2:44:36 AM
mbam-log-2010-03-26 (02-44-36).txt

Scan type: Quick Scan
Objects scanned: 193369
Time elapsed: 4 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Latest SAS log.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/26/2010 at 02:44 AM

Application Version : 4.34.1000

Core Rules Database Version : 4730
Trace Rules Database Version: 2542

Scan type : Quick Scan
Total Scan Time : 00:07:49

Memory items scanned : 374
Memory threats detected : 0
Registry items scanned : 318
Registry threats detected : 0
File items scanned : 9403
File threats detected : 1

Trojan.IRCBot/VM-Fake
C:\DOCUMENTS AND SETTINGS\KENNZ\DESKTOP\BACKUPFILES\X.BAK


I thought that I got rid of x.exe.. I was wrong....

Any thoughts...

Edited by kennzsniper, 25 March 2010 - 02:09 PM.

Hardware tech when I was in college.
1st job was a network support for SOHO
2nd job was lappy tech
3rd Job way out of my league but its nice...

#5 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:09:19 PM

Posted 25 March 2010 - 02:04 PM

Unfortunately, HJT logs are not permitted in this forum. Please edit your post.

X.bak looks as if it is in your "Backup" folder on your desktop. You may want to remove that folder and once again perform your backup.

You stated you ran Combofix. Fortunately, it looks as if it caused you no harm. Combofix is a very specialized tool that should be used only under supervision of the people that are trained in its use. Please read this post here for more information.

Once you have removed your HJT logs and removed the files in \BACKUPFILES please once again re-run SAS after updating and repost the logs.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#6 kennzsniper

kennzsniper
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 AM

Posted 25 March 2010 - 02:26 PM

Ran SAS found nothing.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/26/2010 at 03:20 AM

Application Version : 4.34.1000

Core Rules Database Version : 4730
Trace Rules Database Version: 2542

Scan type : Quick Scan
Total Scan Time : 00:09:24

Memory items scanned : 378
Memory threats detected : 0
Registry items scanned : 322
Registry threats detected : 0
File items scanned : 9492
File threats detected : 0



RAN free Prevx with/out cleaning option

found
blaze.exe
x.exe
43.exe
etc.

in c:\windows\system32

Ran file assassin on them..Will scan again

Edited by kennzsniper, 25 March 2010 - 02:57 PM.

Hardware tech when I was in college.
1st job was a network support for SOHO
2nd job was lappy tech
3rd Job way out of my league but its nice...

#7 kennzsniper

kennzsniper
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 AM

Posted 25 March 2010 - 03:23 PM

Downloaded and running Sophos antirootkit.

I hope this kills x.exe....
Hardware tech when I was in college.
1st job was a network support for SOHO
2nd job was lappy tech
3rd Job way out of my league but its nice...

#8 kennzsniper

kennzsniper
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 AM

Posted 25 March 2010 - 04:03 PM

Sophos antirootkit was no help.


I have to manually delete the files and registry entries.

So far so good. Nothing spotted yet by PrevX and MBAM..
Hardware tech when I was in college.
1st job was a network support for SOHO
2nd job was lappy tech
3rd Job way out of my league but its nice...

#9 kennzsniper

kennzsniper
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 AM

Posted 25 March 2010 - 11:57 PM

I left SAS running overnight to scan and and MBAM detected x.exe again. It keeps coming back.
PrevX detected is as rootkit.

I found registry entries in Winlogon pertaining to taskman that links to file not found which is syscr.exe

So far this is the latest SAS logs. I am at work right now. I will try again once I get back home.

I am looking for a strong rootkit killer. I tried to DL GMer but I have yet to understand how it works.

Sophos rootkit killer was not really a big help. It just stalled my PC.

I tried sysinternal's rootkit revealer and it found no relavant information that I can link to the said infections.

I disable system restore [ Apparently was reenable when I ran combofix]
I will fight this battle again tonight.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/26/2010 at 08:42 AM

Application Version : 4.34.1000

Core Rules Database Version : 4731
Trace Rules Database Version: 2542

Scan type : Complete Scan
Total Scan Time : 01:13:32

Memory items scanned : 326
Memory threats detected : 0
Registry items scanned : 3893
Registry threats detected : 0
File items scanned : 145503
File threats detected : 19

Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B46C7D0-696F-430B-8BBF-673EB17FF022}\RP1\A0002581.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B46C7D0-696F-430B-8BBF-673EB17FF022}\RP1\A0002599.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B46C7D0-696F-430B-8BBF-673EB17FF022}\RP1\A0002605.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B46C7D0-696F-430B-8BBF-673EB17FF022}\RP1\A0002633.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B46C7D0-696F-430B-8BBF-673EB17FF022}\RP1\A0002791.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B46C7D0-696F-430B-8BBF-673EB17FF022}\RP2\A0004989.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B46C7D0-696F-430B-8BBF-673EB17FF022}\RP2\A0004990.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B46C7D0-696F-430B-8BBF-673EB17FF022}\RP2\A0004991.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B46C7D0-696F-430B-8BBF-673EB17FF022}\RP2\A0004992.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B46C7D0-696F-430B-8BBF-673EB17FF022}\RP2\A0004993.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B46C7D0-696F-430B-8BBF-673EB17FF022}\RP2\A0004996.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B46C7D0-696F-430B-8BBF-673EB17FF022}\RP2\A0004997.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B46C7D0-696F-430B-8BBF-673EB17FF022}\RP2\A0005009.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B46C7D0-696F-430B-8BBF-673EB17FF022}\RP2\A0005011.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D5DEF3CA-A4DD-4EB7-9097-C935D917CD7D}\RP34\A0099401.EXE

Trojan.IRCBot/VM-Fake
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D5DEF3CA-A4DD-4EB7-9097-C935D917CD7D}\RP34\A0095966.EXE

Adware.Vundo/Variant-X32[Header]
D:\SYSTEM VOLUME INFORMATION\_RESTORE{D5DEF3CA-A4DD-4EB7-9097-C935D917CD7D}\RP35\A0099434.DLL

Trojan.Agent/Gen-PennyStockChaser
D:\SYSTEM VOLUME INFORMATION\_RESTORE{D5DEF3CA-A4DD-4EB7-9097-C935D917CD7D}\RP35\A0099435.EXE

Trojan.Agent/Gen-SVC[Fake]
D:\SYSTEM VOLUME INFORMATION\_RESTORE{D5DEF3CA-A4DD-4EB7-9097-C935D917CD7D}\RP35\A0099437.EXE

Edited by kennzsniper, 26 March 2010 - 04:01 AM.

Hardware tech when I was in college.
1st job was a network support for SOHO
2nd job was lappy tech
3rd Job way out of my league but its nice...

#10 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:09:19 PM

Posted 26 March 2010 - 09:13 AM

Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
  • (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
  • (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#11 kennzsniper

kennzsniper
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 AM

Posted 26 March 2010 - 12:31 PM

Ran the application once as advised.

And found that the Dr Web was infected. I also noticed that the application was only scanning 1 partition.

I ran it again and encountered errors.


I am redownloading it and checking all the partitions.

See 1st logs below:

ahui.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
blastcln.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
bootcfg.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
cabarc.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
charmap.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
cipher.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
cmd.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
dmadmin.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
freecell.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
ftp.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
javaws.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
junction.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
locator.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
logonui.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
migpwd.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
mobsync.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
mshearts.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
msiexec.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
mspaint.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
net.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
netdde.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
netsh.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
notepad.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
nslookup.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
nvuide.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
nvunrm.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
Power Defragmenter GUI.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
progman.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
proquota.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
rasphone.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
rdpclip.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
rsmui.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
rsvp.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
scardsvr.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
sessmgr.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
smlogsvc.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
sndvol32.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
sol.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
strun.exe;C:\WINDOWS\system32;Tool.StartupRun.122;Incurable.Moved.;
taskmgr.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
telnet.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
tlntadmn.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
tlntsess.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
tlntsvr.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
tracerpt.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
tscupgrd.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
verifier.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
vssvc.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
wiaacmgr.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
winmine.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
rstrui.exe;C:\WINDOWS\system32\Restore;Win32.Polipos;Cured.;
wmiadap.exe;C:\WINDOWS\system32\wbem;Win32.Polipos;Cured.;
wmiapsrv.exe;C:\WINDOWS\system32\wbem;Win32.Polipos;Cured.;
wmiprvse.exe;C:\WINDOWS\system32\wbem;Win32.Polipos;Cured.;
camfrog (1).exe;C:\Documents and Settings\kennz\My Documents\Downloads;Win32.Polipos;Cured.;
camfrog.exe;C:\Documents and Settings\kennz\My Documents\Downloads;Win32.Polipos;Cured.;
cdbxp_setup_4.2.5.1541.exe;C:\Documents and Settings\kennz\My Documents\Downloads;Win32.Polipos;Cured.;
mbam-setup (1).exe;C:\Documents and Settings\kennz\My Documents\Downloads;Win32.Polipos;Cured.;
mbam-setup.exe;C:\Documents and Settings\kennz\My Documents\Downloads;Win32.Polipos;Cured.;
ptfb3603.exe;C:\Documents and Settings\kennz\My Documents\Downloads;Win32.Polipos;Cured.;
removeit_pro.exe;C:\Documents and Settings\kennz\My Documents\Downloads;Win32.Polipos;Cured.;
rsclient.exe;C:\Documents and Settings\kennz\My Documents\Downloads;Win32.Polipos;Cured.;
spybotsd162.exe;C:\Documents and Settings\kennz\My Documents\Downloads;Win32.Polipos;Cured.;
SUPERAntiSpyware.exe;C:\Documents and Settings\kennz\My Documents\Downloads;Win32.Polipos;Cured.;
vlc-1.0.2-win32.exe;C:\Documents and Settings\kennz\My Documents\Downloads;Win32.Polipos;Cured.;
Vuze_Installer.exe;C:\Documents and Settings\kennz\My Documents\Downloads;Win32.Polipos;Cured.;
Vuze_Installer.exe;C:\Documents and Settings\kennz\My Documents\Downloads;Trojan.PWS.Stealer.244;Deleted.;
EPMSetup.exe;C:\Documents and Settings\kennz\My Documents\Downloads\epm;Win32.Polipos;Cured.;
ugafb8bg.exe;c:\documents and settings\kennz\desktop;Win32.Polipos;Cured.;
fdm.exe;c:\program files\free download manager;Win32.Polipos;Cured.;
rocketdock.exe;c:\program files\rocketdock;Win32.Polipos;Cured.;
CF19640.cfxxe;C:\Combo--Fix;Win32.Polipos;Cured.;
artmoney728eng.exe;C:\Documents and Settings\kennz\Desktop\bugger;Win32.Polipos;Cured.;
WPE PRO - modified.exe;C:\Documents and Settings\kennz\Desktop\bugger\WPE Undetected;Program.Wpe;;
SUPERAntiSpyware.exe;C:\Documents and Settings\kennz\Desktop\DS;Win32.Polipos;Cured.;
SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\Documents and Settings\kennz\My Documents\Downloads\SmitfraudFix.exe;Tool.Prockill;;
SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\Documents and Settings\kennz\My Documents\Downloads\SmitfraudFix.exe;Tool.ShutDown.14;;
SmitfraudFix.exe;C:\Documents and Settings\kennz\My Documents\Downloads;Archive contains infected objects;Moved.;
RecoveryManager.exe;C:\Documents and Settings\kennz.DEATHSPECTER\My Documents\Downloads;Win32.Polipos;Cured.;
x[1];C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\1BTJNFQH;Win32.HLLW.Autoruner.9104;Incurable.Moved.;
gsztsnbx[1].jpg;C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9MI4IX6Y;Win32.HLLW.Shadow.based;Deleted.;
x[1];C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VT4L8YPO;Win32.Virut.56;Cured.;
x[1];C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VT4L8YPO;BackDoor.IRC.Sdbot.4538;Deleted.;
Hardware tech when I was in college.
1st job was a network support for SOHO
2nd job was lappy tech
3rd Job way out of my league but its nice...

#12 kennzsniper

kennzsniper
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 AM

Posted 26 March 2010 - 01:12 PM

I ran it again and only found this.

msiexec.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
mspaint.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
taskmgr.exe;C:\WINDOWS\system32;Win32.Polipos;Cured.;
camfrog (1).exe;C:\Documents and Settings\kennz\My Documents\Downloads;Win32.Polipos;Cured.;
camfrog.exe;C:\Documents and Settings\kennz\My Documents\Downloads;Win32.Polipos;Cured.;
cdbxp_setup_4.2.5.1541.exe;C:\Documents and Settings\kennz\My Documents\Downloads;Win32.Polipos;Cured.;
mbam-setup (1).exe;C:\Documents and Settings\kennz\My Documents\Downloads;Win32.Polipos;Cured.;
mbam-setup.exe;C:\Documents and Settings\kennz\My Documents\Downloads;Win32.Polipos;Cured.;
ptfb3603.exe;C:\Documents and Settings\kennz\My Documents\Downloads;Win32.Polipos;Cured.;
removeit_pro.exe;C:\Documents and Settings\kennz\My Documents\Downloads;Win32.Polipos;Cured.;
rsclient.exe;C:\Documents and Settings\kennz\My Documents\Downloads;Win32.Polipos;Cured.;
vlc-1.0.2-win32.exe;C:\Documents and Settings\kennz\My Documents\Downloads;Win32.Polipos;Cured.;


I deleted all the exe downloads that I had and I don't have any errors.

MBAM scans no results.
PrevX scans no results.

Running SAS again..


Will check again for any errors.

I deleted all scheduled tasks as well.

Edited by kennzsniper, 26 March 2010 - 01:13 PM.

Hardware tech when I was in college.
1st job was a network support for SOHO
2nd job was lappy tech
3rd Job way out of my league but its nice...

#13 kennzsniper

kennzsniper
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 AM

Posted 27 March 2010 - 01:49 AM

SAS results - None
MBAM - None
PrevX - None
DrWebCureIt - None

-- I seem to be all set.

I am thinking of Panda's Cloud AV and will give it a whirl.

Thanks for the help techextreme.
Hardware tech when I was in college.
1st job was a network support for SOHO
2nd job was lappy tech
3rd Job way out of my league but its nice...

#14 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:09:19 PM

Posted 29 March 2010 - 07:00 AM

kennzsniper,

Your logs at the very end look good but I see 2 things that worry me in the first run or Dr. Web.

[1];C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VT4L8YPO;Win32.Virut.56;Cured.;
x[1];C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VT4L8YPO;BackDoor.IRC.Sdbot.4538;Deleted.;


Virut, has been noted as almost completely incurable.

Note: The method of infection used by Win32/Virut can damage some infected files beyond repair. In these cases, in order to return a machine to its pre-infected state, it may be necessary to install a clean backup of the operating system and associated applications.



Backdoor.Sdbot is a Trojan horse that opens a back door and allows a remote attacker to control a computer by using Internet Relay Chat (IRC). The Trojan can update itself by checking for newer versions on the Internet.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

I think it is possible that your infections have been removed, but I also think that in reading all of the information I just provided you may want to consider reinstalling your computer for your own safety. The choice is completely up to you.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#15 kennzsniper

kennzsniper
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 AM

Posted 04 April 2010 - 09:14 PM

The problem is back..


x.exe is back.

I am running the diagnostics again.

I have since installed pc tools firewall to help me out. But the problem keeps coming back. Do you have any ideas?

Edited by kennzsniper, 04 April 2010 - 09:15 PM.

Hardware tech when I was in college.
1st job was a network support for SOHO
2nd job was lappy tech
3rd Job way out of my league but its nice...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users