Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I...still infected?


  • Please log in to reply
9 replies to this topic

#1 Xertol

Xertol

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 29 December 2010 - 07:19 AM

Well there's a small backstory to my problem involving a lot of outright stupidity.

A few days ago, I noticed that my internet connection was a little slower than usual (maybe this isn't because of the infection, I still don't know), certain sites/flash games wouldn't load (I thought it was because my java/shockwave/flash was outdated), and streaming would either not work or take a really long time to buffer. I then went to google this, and after much frustration, it was pretty clear I had the google redirecting virus (whether or not this impacted the previous events, I don't know); but I was infected. I spent a few hours per day for about 2 days, googling ways to fix this (I have a pretty good idea of what can be trusted and what can't).

I started with my "default" scanner, which was VAIO care. It detected a few problems and said that they were removed. Updates for maintenance were recommended (it's usually just a click->done process) but they didn't work (error box). Then I moved on to spybotS&D. It found quite a few problems and removed them all. Then I went to google to test things out, but I was still redirected on occasions.

After a lot more googling and annoyance, I came across an answer at a forum, which recommended combofix. Being me, I followed that person's recommendation and installed combofix. Now oddly enough, without even having run the program, the google redirect was gone (as far as I know), videos were working, and flash sites/images were working properly........but I ran combofix anyways. I followed the steps on the guide/tutorial and skimmed over most of the introduction part. It did it's thing, and removed what I had suspected all along weren't "normal" files in my drive. Then I came back to this site, saw there was a forum, clicked it, saw the 50000 warnings about using combofix without the recommendation of a moderator here, and died a little inside.

Did I just make things way worse/more complicated than they had to be?

PS: I noticed that the thing that caught my attention the most in the files that combofix "removed" was a game that a friend had sent me, involving a crack. When I was about to install it, my antivirus detected a trojan, but my friend said he'd had it for a long time and didn't have any problems (it was an actual conversation, not a BOT or anything). Not sure if that helps...

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:47 AM

Posted 29 December 2010 - 09:47 AM

...a game that a friend had sent me, involving a crack. When I was about to install it, my antivirus detected a trojan,

And it may have been. Your friend was probably using a different anti-virus which may not have detected it.

The practice of using cracking tools, keygens, warez or any pirated software is not only considered illegal activity but it is a serious security risk.

Cracking applications are used for illegally breaking (cracking) various copy-protection and registration techniques used in commercial software. These programs may be distributed via Web sites, Usenet, and P2P networks.

trendmicro.com/vinfo

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

...warez/piracy sites ranked the highest in downloading spyware...just opening the web page usually sets off an exploit, never mind actually downloading anything. And by the time the malware is finished downloading, often the machine is trashed and rendered useless.

University of Washington spyware study

...One of the most aggressive and intrusive of all bad websites on the Internet are serial, warez, software cracking type sites...they sneak malware onto your system...Where do trojan viruses originate? One of the biggest malware distributors on the Internet are serial/warez/code cracking sites.

Bad Web Sites: Malware

When you use these kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a smörgåsbord of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

I strongly recommend that you remove all cracks and keygens immediately to reduce the risk of infection/reinfection. If not, then we are just wasting time trying to clean your system. Further, other tools used during the disinfection process may detect crack and keygens so we need to ensure they have been removed.

Using these types of programs or the websites visited to get them is very likely how your computer got infected!!


Lets double-check to make sure.

Please follow these instructions: How to remove Google Redirects or the TDSS, TDL3, Alureon rootkit using TDSSKiller
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure is selected, then click Continue > Reboot now to finish the cleaning process. <- Important!!
    Note: If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.

Step 7 instructs you to scan your computer using Malwarebytes Anti-Malware and remove any traces that may still be present. If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware. After performing that step, please post the complete results of your scan for review.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Xertol

Xertol
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 29 December 2010 - 06:30 PM

I didn't even know there was a crack involved until I got the folder then opened it =(. That's the last time that's gonna happen though.
Anyways, here's what I got from the scan, and thank you in advance.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5419

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/29/2010 6:13:28 PM
mbam-log-2010-12-29 (18-13-28).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 324868
Time elapsed: 50 minute(s), 11 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
c:\program files (x86)\registry helper\registryhelperservice.exe (Rogue.RegistryHelper) -> 2172 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\activex.DLL (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Registry Helper Service (Rogue.RegistryHelper) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_Application (Hijacker.Application) -> Value: bak_Application -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\Application (Hijacker.Application) -> Bad: (http://www.helpmeopen.com/?n=app&ext=%s) Good: (http://shell.windows.com/fileassoc/%04x/xml/redir.asp?Ext=%s) -> Quarantined and deleted successfully.

Folders Infected:
c:\program files (x86)\registry helper (Rogue.RegistryHelper) -> Quarantined and deleted successfully.

Files Infected:
c:\Qoobox\quarantine\C\Users\AppData\Local\uzutolet.dll_old.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\Users\AppData\Local\wms32gt.dll.vir (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\Users\AppData\Roaming\microsoft\conhost.exe.vir (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\Desktop\.url (Malware.Trace) -> Quarantined and deleted successfully.
c:\program files (x86)\registry helper\registryhelperservice.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.

Edited by Xertol, 29 December 2010 - 09:30 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:47 AM

Posted 29 December 2010 - 11:12 PM

Did you scan with TDSSKiller? If not, please do so and post the results.

Rescan again with Malwarebytes Anti-Malware (Quick Scan) in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally will prevent Malwarebytes' from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.


Please perform a scan with Eset Online Anti-virus Scanner.
  • This scan requires Internet Explorer to work. If using a different browser, you will be given the option to download and use the ESET Smart Installer.
  • Vista/Windows 7 users need to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Xertol

Xertol
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 30 December 2010 - 03:17 AM

Oh sorry I didn't post the results for the TDSSKiller scan. It said 0 threats were found.
Here's the results for the Malwarebytes quick scan:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5420

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/30/2010 12:30:27 AM
mbam-log-2010-12-30 (00-30-27).txt

Scan type: Quick scan
Objects scanned: 166820
Time elapsed: 1 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Here's the results for the ESET scan:
C:\Qoobox\Quarantine\C\Users\AppData\Roaming\dwm.exe.vir a variant of Win32/Kryptik.JFX trojan cleaned by deleting - quarantined
C:\Users\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\51063600-43f4c7e3 multiple threats deleted - quarantined
C:\Users\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\63ff10c2-4aafec59 multiple threats deleted - quarantined
C:\Users\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\170f55e-27bbdfb5 multiple threats deleted - quarantined
C:\Users\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\508d6175-660a0bd2 a variant of Java/TrojanDownloader.Agent.NAE trojan deleted - quarantined
C:\Users\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\4ea1e4b6-68d9922f multiple threats deleted - quarantined
C:\Users\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\55d09f87-77ba43b2 multiple threats deleted - quarantined
C:\Users\AppData\Roaming\Auslogics\Rescue\Sony Maintenance\101224144418150.rsc multiple threats deleted - quarantined
C:\Users\AppData\Roaming\Auslogics\Rescue\Sony Maintenance\101226235953905.rsc multiple threats deleted - quarantined
C:\Users\AppData\Roaming\Auslogics\Rescue\Sony Maintenance\101227002145638.rsc a variant of Win32/Kryptik.JFG trojan deleted - quarantined

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:47 AM

Posted 30 December 2010 - 09:39 AM

Your scan results indicate a threat(s) was found in the Java cache.

When a browser runs an applet, the Java Runtime Environment (JRE) stores the downloaded files into its cache folder (C:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache) for quick execution later and better performance. Malicious applets are also stored in the Java cache directory and your anti-virus may detect them and provide alerts. For more specific information about Java exploits, please refer to Virus found in the Java cache directory.

Notification of these files as a threat does not always mean that a machine has been infected; it indicates that a program included the viral class file but this does not mean that it used the malicious functionality. As a precaution, I recommend clearing the entire cache to ensure everything is cleaned out:
Also be aware that older versions of Java have vulnerabilities that malicious sites can use to exploit and infect your system. That's why it is important to always use the most current Java Version and remove outdated Java components.Even Java advises users to always have the latest version of the Java since it contains security updates and improvements to previous versions.

The latest Java version contains important enhancements to improve performance, stability and security of the Java applications that run on your machine. Installing this free update will ensure that your Java applications continue to run safely and efficiently.

Why should I upgrade to the latest Java version?
Why should I upgrade to Java 6?

You can verify (test) your JAVA Software Installation & Version here.

Also let me know how your computer is running and if there are any more signs of infection, strange audio ads, unwanted pop-ups, security alerts, or browser redirects.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Xertol

Xertol
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 30 December 2010 - 04:36 PM

Alright I finished doing all of that. Everything seems perfectly fine (and I think my internet's running way faster now lol).
Thank you sooo much! You're amazing!

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:47 AM

Posted 30 December 2010 - 04:48 PM

Ok then we are just about done so lets do some final cleanup.

To uninstall ComboFix, click Posted Image > Run... and type in the run dialog box: ComboFix /Uninstall
  • Press OK.
    -- Vista/Windows 7 users refer to these instructions: How to Enable Run Command in Windows 7 or Vista
  • If you encounter any problems using the switch from the Run dialog box, just rename ComboFix.exe to Uninstall.exe, then double-click on it to remove.
  • This will delete ComboFix's related folders/files, reset the clock settings, hide file extensions/system files, clear the System Restore cache to prevent possible reinfection and create a new Restore point.

Please download OTC by OldTimer and save to your Desktop.
  • Connect to the Internet and double-click on OTC.exe to start the program.
  • Click on the green CleanUp! button.
  • If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.
  • When it has finished, OTC will ask you to reboot so it can remove itself.
-- Doing this will remove any specialized tools downloaded and used. If OTC does not delete itself, then delete the file manually when done.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Xertol

Xertol
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 30 December 2010 - 10:16 PM

Okay just finished all that. OTC was saved to my desktop and it removed itself after reboot, but I didn't notice any other changes (TDSS, mbam, ESET, malwarebyte is still on my desktop). Is that normal, and should I delete those now? Thanks again! =]

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:47 AM

Posted 30 December 2010 - 11:47 PM

OTC only removes certain specialized tools that have been added to its removal list. You can delete anything else on your desktop which you no longer want.

I recommend taking advantage of the Malwarebytes Anti-Malware (Pro) Protection Module in the full version which uses advanced heuristic scanning technology to monitor your system and provide real-time protection to prevent the installation of most new malware. This technology runs at startup where it monitors every process and helps stop malicious processes before they can infect your computer. The database that defines the heuristics is updated as often as there is something to add to it. Keep in mind that Malwarebytes does not act as a real-time protection scanner for every file like an anti-virus program so it is intended to be a supplement, not a substitute. Enabling the Protection Module feature requires registration and purchase of a license key that includes free lifetime upgrades and support. After activation, Malwarebytes can be set to update itself and schedule scans automatically on a daily basis. The Protection Module is not intrusive as the program utilizes few system resources and should not conflict with other scanners or anti-virus programs. If you choose the free version, you can just use it as a stand-alone scanner, however, Malwarebytes' service (mbamservice.exe) will still show in Task Manager which is normal.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users