Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My friends horrible porn judgement... HELP


  • This topic is locked This topic is locked
12 replies to this topic

#1 joshuawhite

joshuawhite

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 12 May 2010 - 11:55 PM

My friend used my computer and I guess normal people don't know how to watch porn without attracting e-std's so because of his bad porn judgement my computer has e-aids... I'd tell you what I know as to what its doing but you should be able to figure that out from the logs I guess...
I'll go ahead and post what logs I have... if you need more let me know

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:30 PM

Posted 13 May 2010 - 05:28 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.



============================================


One or more of the identified infections is a Rootkit/backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterward. Let me know what you decide to do.


============================================


Please do the following If you do not wish to reformat:

Please read the preparation guide here => http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
Then post the required logs when you reply and we will begin from there. Thanks.


Tell your friend to use e-condoms when watching porn. hysterical.gif <= just kidding tongue.gif
~Semp





~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 joshuawhite

joshuawhite
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 13 May 2010 - 07:24 AM

I'm going to attempt to clean it with you guys... I've been trying to do it myself for 3 weeks but im out of ideas as I don't have the disk anymore and can't replace needed system files... so idk do what ya do buddy tongue.gif
I removed that windows security 2010 but this one is the biggest inconvenience I've ever had

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:30 PM

Posted 13 May 2010 - 07:53 AM

Alright, please post the required logs when ready. smile.gif

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 joshuawhite

joshuawhite
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 13 May 2010 - 04:03 PM

Here are the required logs...

Attached Files



#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:30 PM

Posted 13 May 2010 - 05:42 PM

Hi,

Also post the DDS.txt.

Thanks,
~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 joshuawhite

joshuawhite
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 13 May 2010 - 06:31 PM

here ya go

side note question though
I understand you probably don't make as much as you'd like but do you make pretty decent money on donations?

Attached Files

  • Attached File  DDS.txt   7.7KB   3 downloads

Edited by joshuawhite, 13 May 2010 - 06:38 PM.


#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:30 PM

Posted 14 May 2010 - 05:20 AM

Hi,

Please do not attach logs unless instructed. Copy/paste them directly on your reply.
Some of the lines on DDS.txt are missing. Did you removed them on purpose?


QUOTE
I understand you probably don't make as much as you'd like but do you make pretty decent money on donations?
To be honest with you, the answer is NO.



=====================================


I don't see an Anti Virus Program running on your machine
  • Download and install an antivirus program, and make sure that you keep it updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Two good antivirus programs free for non-commercial home use are Avast! and Antivir

    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.


=====================================


Please answer the following questions:

1. I can see that you previously run ComboFix. It SHOULD NOT be used unless requested by a forum helper. See HERE.
Can you please post the contents of C:\ComboFix.txt.



2. Do you recognize the following installed programs on your PC:
  1. 100795
  2. 179816
  3. 180143
  4. 183311


3. Did you created this policies?
  1. mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
  2. mPolicies-explorer: MaxRecentDocs = 18 (0x12)
  3. mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
  4. mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
  5. mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 joshuawhite

joshuawhite
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 14 May 2010 - 08:07 AM

1)I installed combo-fix just incase you would have me run it, it never actually got ran... I just like to prepare
2)I had anti-virus installed... not sure why it wouldn't be anymore but its not?
3)To be honest I saw those in the add-remove programs but I don't know what they are.
4)No I didn't create said policies, and I didn't remove any lines from dds.txt at all I just re-saved it in a different dir
weird...

#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:30 PM

Posted 14 May 2010 - 08:11 AM

Hi,

Alright, now let's begin.


=================================


1. Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



2. Please delete your copy of combofix (do not uninstall) then run a new copy.

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 joshuawhite

joshuawhite
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 15 May 2010 - 06:36 AM

here you are

Attached Files



#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:30 PM

Posted 15 May 2010 - 07:42 AM

Hi,

Please do not attach logs unless instructed.

Can you please tell me what is your Anti Virus program?


============================================


Asksbar/Ask Toolbar warning:
I strongly suggest that you uninstall Asksbar/Ask Toolbar. Some of the bad practices of this toolbar are:
  1. Promoting its toolbars on sites targeted to kids. Details.
  2. Promoting its toolbars through ads that appear to be part of other companies' sites. Details.
  3. Promoting its toolbars through other companies' spyware. Details.
  4. Installing without any disclosure whatsoever and without any consent whatsoever. Details.
  5. Soliciting installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link. Details.
  6. Making confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit. Details.
Please read the full details HERE.



P2P Warning:
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case LimeWire/BitComet).

These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."



============================================


1. Please go to http://virscan.org/
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
    c:\windows\system32\dpnwsocke.dll
    c:\program files\Everything\Everything.exe
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.



2. Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    CODE
    :filefind
    ndis.sys
    tcpip.sys
    wscntfy.exe
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply



3. Backup Your Registry with ERUNT
  • Please download ERUNT.
  • Follow the detailed instructions HERE on how to install and run ERUNT.
  • Make sure that you have successfully installed and ran ERUNT before proceeding with the next instruction.



4. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
KillAll::

File::
c:\windows\system32\net.net
c:\windows\Pnarub.exe
c:\docume~1\owner\locals~1\temp\pvm .exe

Folder::
c:\documents and settings\OWNER\APPLICATION DATA\6132C09362961DAEA3CF3FAD81846448

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NEWUPDATE1142C .EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newupdate1142C.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\net]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QZAIB7KITK]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YVIBBBHA8C]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
"DisableNotifications"=-
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Zwangie Service"=-

SrPeek::
c:\windows\system32\drivers\ndis.sys
c:\windows\system32\drivers\tcpip.sys
c:\windows\System32\wscntfy.exe

Driver::
jytpntz
muylu

RenV::
c:\program files\BitComet\bitcomet   .exe

DirLook::
C:\AKM Antivirus 2010 Pro

DDS::
TCP: {13CC99EE-2A53-4359-A045-5DA9B82E06FE} = 8.8.8.8
TCP: {4AADB0C9-48DA-41A3-9828-F34C62214658} = 8.8.8.8
TCP: {7D68B307-EAF2-4399-AFF5-7F884045ADE4} = 8.8.8.8
TCP: {9B4FB850-8F8C-4445-9504-35FE1F36EE96} = 8.8.8.8
TCP: {CEC535ED-2E84-42CC-ADBC-8DA27EF73F8A} = 8.8.8.8


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Edited by sempai, 15 May 2010 - 09:12 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:30 PM

Posted 19 May 2010 - 05:36 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users