Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware/trojan? Need help, please!


  • Please log in to reply
5 replies to this topic

#1 KillMilla

KillMilla

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 12 September 2010 - 06:59 AM

Hello!

My laptop usually runs like clockwork. I scan regularly with my panda anti virus and malwarebytes. The programs haven't found any irregularities and the malwarebytes scan always comes out clear. However, a few weeks ago my laptop got noticeably slower and my panda anti virus keeps telling me every time I start up the computer that it has eliminated a spyware.
I just ran a panda total pro scan and it told me it had detected and disinfected a trojan.
However, upon restarting the PC my panda still keeps telling me that it has eliminated a spyware so I have a gut feeling that my PC isn't totally clean.

Can someone please help me find out what is wrong and how I go about doing it?

Thank you so very much in advance!

Best wishes, KillMilla.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:45 AM

Posted 12 September 2010 - 09:47 AM

What exactly is Pands finding and where did it find it, this is critical to finding what kinds of infection you have?

It sounds like a dangerous rootkit if MBAM can's see it, however an infection in a restore point or quarantine would not show with MBAM either.
Chewy

No. Try not. Do... or do not. There is no try.

#3 KillMilla

KillMilla
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 12 September 2010 - 02:16 PM

Hm, not really loving the phrase "dangerous rootkit", hoping thats not what it is.

Here's how it goes:

I start up my computer, it says windows starting (i have windows xp), then I get the screen where I am asked to type in my password which I do and I press enter. My personal settings loads up and the desktop icons appear as well as the ones on the bottom tool bar. Just as the bottom tool bar is filled up with its usual icons, a window from panda pops up and tells me that it has detected and eliminated a spyware.
I click on the info sign and its located on my C drive. Its a cookie/Atlas DMT

c:\documents and settings\xxxxx\cookies\xxxxx@atdmt[1].txt

Is this something I should worry about or is it nothing out of the ordinary?

Thanks a bunch in advance again.

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:45 AM

Posted 12 September 2010 - 02:33 PM

Cookies are relatively harmless, that's why MBAM doesn't scan for them.

What mislead me? was the reference to a trojan?

Let's see if we can do a more thorough cleaning of temp files.

and get another opinion

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link
  • Close all open browsers before using, especially FireFox. <-Important!!!
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Notes: On Vista, "Windows Temp" is disabled. To empty Temp, ATF-Cleaner must be Run As Administrator.
The Prefetch cleaning feature has been disabled for Vista Users. Tabs for applications that are not installed are grayed out.



Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.
Chewy

No. Try not. Do... or do not. There is no try.

#5 KillMilla

KillMilla
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 13 September 2010 - 04:37 PM

Just a quick note to let you know I haven't forgotten my case and that I am really appreciative of your help! I have done the ATF cleaning, but as its getting late I don't have the time tonight to do the rest tonight. Will get to them ASAP tomorrow when I have a print out of the instructions.

Again, thank you for guiding me through! :thumbsup:

#6 KillMilla

KillMilla
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 14 September 2010 - 11:16 PM

Hiya!

have done as instructed and here's the log after super anti spy scan:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/15/2010 at 00:47 AM

Application Version : 4.43.1000

Core Rules Database Version : 5506
Trace Rules Database Version: 3318

Scan type : Complete Scan
Total Scan Time : 01:25:11

Memory items scanned : 228
Memory threats detected : 0
Registry items scanned : 6728
Registry threats detected : 0
File items scanned : 19754
File threats detected : 10

Adware.Tracking Cookie
C:\Documents and Settings\xxxxx\Cookies\xxxxx@atdmt[1].txt
cdn5.specificclick.net [ C:\Documents and Settings\xxxxx\Programdata\Macromedia\Flash Player\#SharedObjects\LFE9K7D5 ]
ia.media-imdb.com [ C:\Documents and Settings\xxxxx\Programdata\Macromedia\Flash Player\#SharedObjects\LFE9K7D5 ]
media.mtvnservices.com [ C:\Documents and Settings\xxxxx\Programdata\Macromedia\Flash Player\#SharedObjects\LFE9K7D5 ]
media.redcatsnordic.com [ C:\Documents and Settings\xxxxx\Programdata\Macromedia\Flash Player\#SharedObjects\LFE9K7D5 ]
media.wcnc.com [ C:\Documents and Settings\xxxxx\Programdata\Macromedia\Flash Player\#SharedObjects\LFE9K7D5 ]
msnbcmedia.msn.com [ C:\Documents and Settings\xxxxx\Programdata\Macromedia\Flash Player\#SharedObjects\LFE9K7D5 ]
media.mtvnservices.com [ C:\Documents and Settings\xxxxx.XXXXXX\Programdata\Macromedia\Flash Player\#SharedObjects\V9DMXX5V ]
media.socialvibe.com [ C:\Documents and Settings\xxxxx.XXXXXX\Programdata\Macromedia\Flash Player\#SharedObjects\V9DMXX5V ]
msnbcmedia.msn.com [ C:\Documents and Settings\xxxxx.XXXXXX\Programdata\Macromedia\Flash Player\#SharedObjects\V9DMXX5V ]





However, after having quarantined and removed everything, I still got a message from Panda after the reboot that it had found and eliminated a spyware?
But all signs of the trojan seems to be gone... Right?

Again, massive thank yous!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users