Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win 32.worm/possibly hacked!!!


  • Please log in to reply
13 replies to this topic

#1 Miroku16

Miroku16

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 25 December 2010 - 11:23 PM

I don't understand how this happened. I was just doing research on the possiblity of a new computer by using google. I opened a regular information/review site. Then all of a sudden, my taskbar flashed that I had been infected by some malicious item, I think it was called win32.worm.
I tryed opening up my Malware bites anti-virus software, but the infection prohibited me from doing so. So, I decided to go here at first on my infected computer. Every 10 seconds, it flashed reminders of my infection and for me to activate antivirus software that costed money. I disregarded the request, figuring it would be a scam to get my money. But the scariest part about the whole situation was this loud sudden scream/laugh that I heard through my headphones in the computer. Then a new warning message popped up saying that some of my files had leaked to the internet. In addition to that, I saw my computer list my last name in all caps and my IP address. I was so afraid, that I shut off my computer immediately and unhooked it from my internet source. I'm not sure what is going on with my computer. The only thing that I know is that my main computer does not appear to be safe for usage for a while. I hope no one has got a hole of important information. I also hope the internet that my laptop is connected to is not hazardous in this situation.

Computer specs:
Operating system: Windows XP



Right now, I need help getting my home computer fixed from this problem. I am extremely worried about what has happened to my computer. If it is possible, I would like someone's assistance ASAP!

Things I need to add:

If there are solutions in which I have to boot up a cd before it gets to the welcome page, I can't do it because my computer doesn't autorun.

One more thing:

I luckily put my new portable hard drive into good use by getting my important documents, music, and videos from my computer. So, if a complete operating system clean out or reset is required, then I am prepared for using it as a last resort.

BC AdBot (Login to Remove)

 


#2 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:10:56 AM

Posted 25 December 2010 - 11:36 PM

Hi there,
It looks not so much like you have been hacked, but the more likely situation is that you have somehow allowed a rogue on your computer, hence where the alerts are coming from. The alerts are more than likely fake, and MBAM will not run do to the rogue blocking access to it. Rogues will do that to you. You have to try a few different tactics. You should first rename the main executable for MBAM to something random such as kfvn28.exe. See if it runs then. If not, then redownload the setup file for it onto another computer known to be clean, then rename it and try installing again. See if that helps.

Chromebuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#3 Miroku16

Miroku16
  • Topic Starter

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 26 December 2010 - 12:02 AM

I tried that tactic, but apparently the rogue is blocking the renamed program of MBAM. I also tried renaming the setup MBAM that was on my flash drive and tried setting it up within the infected computer. Unfortunately, it was blocked too. I'm so confused. What can I do now?

#4 Miroku16

Miroku16
  • Topic Starter

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 26 December 2010 - 01:04 AM

An update:

I am definitely in need of professional help from this site at this point. I tried googling ways in dealing with the virus. The good news: I found solutions and methods of removing the program. The Bad News: The pesky rogue blocks any program or method that I try to run. I can't even open up the task manager without it getting blocked by the win32blaster. So for now, I will be waiting for someone's assistance in order to get this malicious item off of my main computer.

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:56 AM

Posted 26 December 2010 - 01:21 PM

Try downloading and running http://download.bleepingcomputer.com/grinler/iExplore.exe and see if you can run that. When its done, try malwarebytes again.

#6 Miroku16

Miroku16
  • Topic Starter

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 26 December 2010 - 01:41 PM

Okay, I got through with rkill. Here is the log for it:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 12/26/2010 at 13:34:14.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Boot\Application Data\defender.exe


Rkill completed on 12/26/2010 at 13:34:29.


Anyways, I did the quick scan with MBAM and it found the rogues. I selected remove and I got the following log:
12/26/2010 1:52:37 PM

mbam-log-2010-12-26 (13-52-37).txt

Scan type: Quick scan
Objects scanned: 143268
Time elapsed: 7 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spyware protection (Rogue.SecurityCentral) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Boot\Application Data\defender.exe (Rogue.SecurityCentral) -> Quarantined and deleted successfully.

For right now, my computer is working fine now without my programs being limited or canceled. However, is there a follow-up that can be done in order to make sure that my computer is free from those rogues or other serious malicious items?

Edited by Miroku16, 26 December 2010 - 02:05 PM.


#7 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:10:56 AM

Posted 26 December 2010 - 04:08 PM

Thanks a lot for posting that link for him. ever since the new interface has been placed into effect, I've not been able to link or do anything fancy with it. I'm sorry Miroku16, I wanted to post that for you, but since I can't link on here, I didn't want to tell you about something that I couldn't quickly bring you to. And it's a full scan you'll want to do. Post the log back and let us know how things are now.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#8 Miroku16

Miroku16
  • Topic Starter

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 26 December 2010 - 08:48 PM

Oh, its cool man. I appreciate each of your help. Anyways, I ran a full scan on my computer MBAM:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4374

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/26/2010 8:00:36 PM
mbam-log-2010-12-26 (20-00-36).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 191376
Time elapsed: 43 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


So, it appears that my computer didn't detect any malicious items. Am I in the clear or do I need another follow-up?

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:56 AM

Posted 26 December 2010 - 09:02 PM

Looks good but oyu may want to perform a online scan using kaspersky or eset to be safe.

#10 Miroku16

Miroku16
  • Topic Starter

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 26 December 2010 - 09:26 PM

I've never heard of those antivirus softwares before. Where can I find those?

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:56 AM

Posted 27 December 2010 - 12:39 PM

Try this:

http://www.eset.com/online-scanner

#12 Miroku16

Miroku16
  • Topic Starter

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 27 December 2010 - 08:46 PM

Okay, I ran the scan and it found one item:

C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe probably a variant of Win32/Agent.HZHBURL trojan cleaned by deleting - quarantined

Other than this item, which was dealt with, my computer is said to be alright. So, am I in the clear now?

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:56 AM

Posted 28 December 2010 - 10:46 AM

Looks like it, but no way of 100% knowing unless you follow the steps here:

http://www.bleepingcomputer.com/forums/topic34773.html

#14 Miroku16

Miroku16
  • Topic Starter

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 05 January 2011 - 11:34 PM

Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users