Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.Bot,Hijack.System,Trojan.Dropper/Agent,Worm.Nyxem


  • Please log in to reply
1 reply to this topic

#1 dadsbeensurfinagin

dadsbeensurfinagin

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 03 April 2010 - 06:16 PM

Yay made it to page 4 w/o getting any help!

The items in the title came from a mbam quarentine list.

Some info: OS winXP. avg 8. using flashdrive to move anything from you all to infected computer(same room dif. comp).

Tried rkill - downloaded 3 versions , tried renaming ,but didn't get it to run. Read rkill tutorial and believe I did what it asked of me. I apollogize in advance if that was a no no. It sounded like just the right hammer to use and I so very much wanted to use a hammer on that computer.

While typing this Ijust looked over at the sick,sick computer to my right and the BSOD just appeared on it...sigh.

Computer unable to read .txt files "error can't find notepad" so the mbam log that is supposed to open at the end of scan doesn't and I don't think it actually fixes anything. Duh! Haven't tried to copy log.txt to flashdrive.

Other symptoms: unable to open the control panel or windows update.

I don't believe avg. update is legit, but it does go somewhere!

I can open task manager if I mash ctrl +alt+del immediately after logon and there are 5 to ten new processes as well as some that jump in and out. I toyed w/ chasing them and "end process"ing them, HA HA HA. Not funny.

Hope thats enough to get started. I wish I could see the fear in that computers eye.

Edited by dadsbeensurfinagin, 04 April 2010 - 04:29 PM.
Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~BP


BC AdBot (Login to Remove)

 


#2 dadsbeensurfinagin

dadsbeensurfinagin
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 03 April 2010 - 06:36 PM

Just to add a note. Upon reboot I looked at the process list in task manager and of the 35 processes running only one had a user name - system idle process. It was attributed to system, everything else was anonymous.

Does that mean that every process on that machine is viral/hijacked?

Here is mbam log cut/pasted. I did try to "take action" but mbam fails to complete and reboot brings back everything and maybe more.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/3/2010 12:40:04 PM
mbam-log-2010-04-03 (12-40-04).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|)
Objects scanned: 168528
Time elapsed: 17 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 11
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\BtwSvc.dll (Backdoor.Bot) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsvc (Backdoor.Bot) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\buildw (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\firstinstallflag (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udpe (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mpe (Malware.Trace) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\ave.exe" /START "iexplore.exe") Good: (iexplore.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\BtwSvc.dll (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0HU7WLAB\w[1].bin (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0TIZKPA7\w[1].bin (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0TIZKPA7\w[2].bin (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0TIZKPA7\w[3].bin (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6Z8PUV\w[1].bin (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6Z8PUV\w[2].bin (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\d.bin (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\opear.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\ms.bin (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\Temp\t4m0_710592308403.bk.old (Backdoor.Bot) -> No action taken.
C:\WINDOWS\Temp\VRT12.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\Temp\VRT3.tmp (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\Temp\VRT6.tmp (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\Temp\VRT7.tmp (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> No action taken.

Edited by dadsbeensurfinagin, 04 April 2010 - 09:25 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users