Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possibly inffected with Malware/Virus, not sure


  • Please log in to reply
4 replies to this topic

#1 Pally101

Pally101

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 12 July 2010 - 12:30 PM

Hello all, I have some problems with my laptop, over the weekend I may have infected it with something. I have ran the following tools:
  • Malwarebytes
  • Avira
  • AVG 9.0
  • ESET
Malware found the following:
Files Infected:
C:\$RECYCLE.BIN\S-1-5-21-2916928351-575280734-3105646814-1000\$R81QJTN.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.

Avira finds the following:
Virus or unwanted program 'HTML/Crypted.Gen [virus]'
detected in file 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\URF0A9YC\ddc[6].htm.
Action performed: Deny access

AVG9.0 - none

ESET - Found a trojan downloader but was removed, unfortunately I forgot the name of it and cant find the logs, it was ESET online scanner. *EDIT* I think this was the name of the virus, Win32/TrojanDownloader.Unruy.BT


Somehow I think Internet Explorer is infected, the IE process is always running even though I did not manually execute it. When I terminate the process it comes back sometimes two IE processes is running.

I also get the following text popups from malwarebytes saying access to a potentially malicious website has been blocked:

2:49:38 IP-BLOCK 89.28.69.32
12:49:38 IP-BLOCK 89.28.69.32
12:49:38 IP-BLOCK 89.28.69.32
12:52:36 IP-BLOCK 94.75.229.139
12:55:01 IP-BLOCK 94.75.229.139
13:02:56 IP-BLOCK 94.75.229.139
13:02:56 IP-BLOCK 94.75.229.139
13:03:52 IP-BLOCK 94.75.229.139
13:04:00 IP-BLOCK 94.75.229.139
13:08:17 IP-BLOCK 94.75.229.139
13:08:17 IP-BLOCK 94.75.229.139
13:10:09 IP-BLOCK 94.75.229.139
13:18:36 IP-BLOCK 94.75.229.139
13:18:36 IP-BLOCK 94.75.229.139
13:27:01 IP-BLOCK 94.75.229.139

Initially I had IE8 but i thought uninstalling IE may fix the problem but it only uninstalled IE8 update and not IE itself, so IE7 is still on my system. I am running Windows Vista Home Premium. So what do I need to do, I need help, thanks in advance.

Edited by Pally101, 12 July 2010 - 12:49 PM.


BC AdBot (Login to Remove)

 


#2 Pally101

Pally101
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 12 July 2010 - 02:36 PM

Just an update, I found similar threads about my problem here:
http://www.techspot.com/vb/topic149524.html
http://www.techspot.com/vb/topic149687.html

I was follow the steps in the thread and tried executing the boot kit but kept getting an error stating that no boot record was found when attempting to run the script posted in the threads above. So I booted up with my vista CD, then went to command prompt console, and ran "bootrec.exe" command to fix the mbr, then I rebooted to safe mode and reran the bootkit remover to check if the unknown bootrecord is gone and it was. Then I ran combofix and ATF cleaner.

Restarted and so far no msgs about blocked sites from malwarebytes and no IE processes spawning. Hopefully this is the solution.

#3 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:01:53 PM

Posted 12 July 2010 - 02:59 PM

Hi,
Do you know if the things found by Eset were removed? Win32/Unruy is nasty due to the sheer fact that it is there to download other malware from the internet. And I can show you where the log is. Go to C:\program files\Eset\Eset online Scanner\Log.txt and you can tell if it was cleaned or not. That particular threat is probably where the trojan.agent.CK found by MBAM came from.

Regards,
Chromebuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#4 Pally101

Pally101
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 12 July 2010 - 03:05 PM

Hi,
Do you know if the things found by Eset were removed? Win32/Unruy is nasty due to the sheer fact that it is there to download other malware from the internet. And I can show you where the log is. Go to C:\program files\Eset\Eset online Scanner\Log.txt and you can tell if it was cleaned or not. That particular threat is probably where the trojan.agent.CK found by MBAM came from.

Regards,
Chromebuster


Yes from the log, it states that it was removed.

SETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=ef76b2bcf45f434ca11551209c662f95
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-12 04:37:45
# local_time=2010-07-12 12:37:45 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 708085 708085 0 0
# compatibility_mode=1024 16777215 100 0 705585 705585 0 0
# compatibility_mode=1797 16775165 100 94 0 37090317 0 0
# compatibility_mode=5892 16776574 100 100 872734 115547952 0 0
# compatibility_mode=8199 39157246 100 95 546890 44078036 0 0
# scanned=269692
# found=1
# cleaned=1
# scan_time=12242
# nod_component=V3 Build:0x30000000
C:\Users\*****\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\54ed1812-125867b2 a variant of Win32/TrojanDownloader.Unruy.CC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:53 PM

Posted 12 July 2010 - 03:18 PM

Hello you have a Rootkit. In this caes a Bootkit.. Improper removal will have disasterous effects. Rootkits are not handked here in the AII foruma nd if so only by staff.. See here

Posting instructions for the use of the following by non-staff members is prohibited in this area, as well as in all other areas of the forums. This list contains tools and procedures that are forbidden, the instructions for using similar tools or procedures should not be posted here, or elsewhere on Bleeping Computer forums, without prior Staff approval.

  • Manual file removal instruction
  • ComboFix instructions or discussion
  • Registry instruction
  • Automated registry cleaners
  • HiJackThis and /or DDS instructions (logs are for review only)
  • Custom scripts, batch files
  • Other specialized fix tools the BC Staff deems untrained members should not recommend for use.
Note: This list is not limited and we may add to it as necessary. These restrictions are in place to ensure that only safe and effective methods are given to members seeking help with a malware problem.


First of all, Esage Bootkit remover is a very unreliable tool. As boopme said, it directly interacts with the MBR (master boot record) of the harddisk. If something goes wrong, you have an unusable computer.

Second, We must first confirm, then fix!

For everyone who suspects having this infection, please follow the steps in this guide

:thumbsup: Attempting to fix a rootkit like this one on your own is at your own risk!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users