Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAM Log finds 3 infections, not sure if it's spyware or virus


  • Please log in to reply
28 replies to this topic

#1 tide_belle

tide_belle

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alabama
  • Local time:11:02 AM

Posted 23 January 2011 - 01:58 PM

My computer is running Windows XP and noticed that FireFox was running abnormally slow. I updated then ran MBAM and it found 3 infections. I am not sure if this is just simple SpyWare or a virus. I would like to take care of it before it possibly spreads any further.

Ran SAS with current updates and it found Trojan.Agent/Gen-Nullo (Short) and I am getting really concerned. The only two possibilities could have been again from my dh doing searches on certain topics (all clean) or where I downloaded some books for a Nook. This is getting frustrating.
Let me know if I need to attach my MBAM and SAS logs with the infections.
Thank you in advance for your help!

Edited by tide_belle, 23 January 2011 - 06:20 PM.
Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~BP


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:02 PM

Posted 24 January 2011 - 02:01 PM

Yes, post your logs.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 tide_belle

tide_belle
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alabama
  • Local time:11:02 AM

Posted 24 January 2011 - 08:04 PM

I reran MBAM and SAS today again after updating and they found nothing. I know from experience with a RootKit that doesn't always mean I'm in the clear. Here are the logs from the infections. I do not see the "Attach a File" button so I'm pasting it. Sorry if it's not what I am supposed to do.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5573

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/22/2011 9:03:28 PM
mbam-log-2011-01-22 (21-03-28).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 221404
Time elapsed: 4 hour(s), 19 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\dream chronicles - the book of air\xgmddkd.exe (AutoRun.IRCBot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP47\A0003798.exe (AutoRun.IRCBot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP56\A0004361.exe (AutoRun.IRCBot) -> Quarantined and deleted successfully.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/23/2011 at 04:49 PM

Application Version : 4.48.1000

Core Rules Database Version : 6248
Trace Rules Database Version: 4061

Scan type : Complete Scan
Total Scan Time : 02:55:28

Memory items scanned : 506
Memory threats detected : 0
Registry items scanned : 7058
Registry threats detected : 0
File items scanned : 28781
File threats detected : 8

Adware.Tracking Cookie
C:\Documents and Settings\Jodi\Cookies\jodi@ad.wsod[2].txt
C:\Documents and Settings\Jodi\Cookies\jodi@invitemedia[1].txt
C:\Documents and Settings\Jodi\Cookies\jodi@collective-media[2].txt
C:\Documents and Settings\Jodi\Cookies\jodi@ads.bleepingcomputer[2].txt
C:\Documents and Settings\Jodi\Cookies\jodi@revsci[1].txt
C:\Documents and Settings\Jodi\Cookies\jodi@www.googleadservices[2].txt
media.scanscout.com [ C:\Documents and Settings\Jodi\Application Data\Macromedia\Flash Player\#SharedObjects\ARY64KHQ ]

Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP66\A0004683.EXE

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:02 PM

Posted 24 January 2011 - 09:46 PM

Please download Norman Malware Cleaner and save to your desktop.
alternate download link
If you previously used Norman, delete that version and download it again as the tool is frequently updated!
  • Be sure to read all the information Norman provides on that same page.
  • Double-click on Norman_Malware_Cleaner.exe to start. Vista/Windows 7 users right-click and select Run As Administrator.
    The tool is very slow to load as it uses a special driver. This is normal so please be patient.
  • Read the End User License Agreement and click the Accept button to open the scanning window.
  • Click Start Scan to begin.
  • In some cases Norman Malware Cleaner may require that you restart the computer to completely remove an infection. If prompted, reboot to ensure that all infections are removed.
  • After the scan has finished, a log file a log file named NFix_date_time (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.
  • Copy and paste the contents of that file in your next reply.
-- Note: If you need to scan a usb flash drives or other removable drives not listed, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 tide_belle

tide_belle
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alabama
  • Local time:11:02 AM

Posted 24 January 2011 - 10:26 PM

I have downloaded and am running it now. Will post in the AM. Good night!

#6 tide_belle

tide_belle
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alabama
  • Local time:11:02 AM

Posted 25 January 2011 - 08:49 AM

Good morning! Here is the log you requested.

Norman Malware Cleaner
Version 1.8.3
Copyright © 1990 - 2010, Norman ASA. Built 2011/01/24 13:18:18

Norman Scanner Engine Version: 6.06.12
Nvcbin.def Version: 6.06.00, Date: 2011/01/24 13:18:18, Variants: 9386333

Scan started: 2011/01/24 21:07:17

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Home 5.1.2600 Service Pack 3
Logged on user: D7C1CCB1\Jodi

Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = 0x00000000
Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = 0x00000000
Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000
Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000
Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop -> NoChangingWallPaper = 0x00000000

Scanning kernel...

Kernel scan complete


Scanning bootsectors...

Number of sectors found: 1
Number of sectors scanned: 1
Number of sectors not scanned: 0
Number of infections found: 0
Number of infections removed: 0
Total scanning time: 0s 125ms


Scanning running processes and process memory...

Number of processes/threads found: 4612
Number of processes/threads scanned: 4612
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 6m 9s


Scanning file system...

Scanning: prescan

Scanning: C:\*.*

Scanning: D:\*.*

Scanning: postscan


Running post-scan cleanup routine:
Failed to locate shared service executable: C:\WINDOWS\System32\appmgmts.dll
Removed service: AppMgmt

Number of files found: 289988
Number of archives unpacked: 3952
Number of files scanned: 289986
Number of files not scanned: 2
Number of files skipped due to exclude list: 0
Number of infected files found: 0
Number of infected files repaired/deleted: 0
Number of infections removed: 0
Total scanning time: 4h 33m 3s

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:02 PM

Posted 25 January 2011 - 09:58 AM

Try doing an online scan to see if it finds anything else (i.e. remnants) that the other scans may have missed.

Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
  • Vista/Windows 7 users need to run Internet Explorer as Administrator.
    To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the Posted Image... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the Posted Image... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the Posted Image... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished. If that's the case, please refer to How To Temporarily Disable Your Anti-virus.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 tide_belle

tide_belle
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alabama
  • Local time:11:02 AM

Posted 25 January 2011 - 06:44 PM

Kaspersky online scanner is not working. After about 1 1/2 hours it failed to load. When I went back to their site it said it is currently unavailable. Would you like for me to try Eset?

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:02 PM

Posted 25 January 2011 - 07:02 PM

Would you like for me to try Eset?

This scan requires Internet Explorer to work. If using a different browser, you will be given the option to download and use the ESET Smart Installer.
Vista/Windows 7 users need to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 tide_belle

tide_belle
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alabama
  • Local time:11:02 AM

Posted 25 January 2011 - 07:07 PM

How about F-Secure?

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:02 PM

Posted 25 January 2011 - 07:10 PM

Eset is fine...I was just providing some notes about using it.

F-Secure is ok too but IMO Eset is better.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 tide_belle

tide_belle
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alabama
  • Local time:11:02 AM

Posted 25 January 2011 - 07:12 PM

Sure thing, I'll get it up and running and have you a log posted soon. Do I need to run this in Safe Mode? Thank you!

Edited by tide_belle, 25 January 2011 - 07:13 PM.


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:02 PM

Posted 25 January 2011 - 09:23 PM

Not a problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 tide_belle

tide_belle
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alabama
  • Local time:11:02 AM

Posted 26 January 2011 - 09:51 AM

Sorry, it took so long that I had to wait until this morning. Here is what it found, I had the "Fix Problems" checked but I still have it open this morning in case I need to undo anything.

C:\Documents and Settings\Jodi\Local Settings\Temp\tmp0scals Win32/RegistryBooster application cleaned by deleting - quarantined
C:\Documents and Settings\Jodi\Local Settings\Temp\tmp18eecn Win32/RegistryBooster application cleaned by deleting - quarantined
C:\Documents and Settings\Jodi\Local Settings\Temp\tmp1logoi Win32/RegistryBooster application cleaned by deleting - quarantined
C:\Documents and Settings\Jodi\Local Settings\Temp\tmpdk9jxb Win32/RegistryBooster application cleaned by deleting - quarantined
C:\Documents and Settings\Jodi\Local Settings\Temp\tmpi4eui6 Win32/RegistryBooster application cleaned by deleting - quarantined
C:\Documents and Settings\Jodi\Local Settings\Temp\tmpjx0qyp Win32/RegistryBooster application cleaned by deleting - quarantined
C:\Documents and Settings\Jodi\Local Settings\Temporary Internet Files\Content.IE5\LCW8GGKT\index-functions[1].js Win32/RegistryBooster application cleaned by deleting - quarantined
C:\Documents and Settings\Jodi\Local Settings\Temporary Internet Files\Content.IE5\LCW8GGKT\registrybooster[1].exe multiple threats deleted - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0003806.exe a variant of Win32/MessengerPlus application cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP49\A0003959.rbf Win32/Packed.RBCrypt.A.Gen application cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP49\A0003960.rbf Win32/Packed.RBCrypt.A.Gen application cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP49\A0003961.rbf Win32/Packed.RBCrypt.A.Gen application cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP49\A0003962.rbf Win32/RegistryBooster application cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP49\A0003963.rbf Win32/Packed.RBCrypt.A.Gen application cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP49\A0003964.rbf Win32/Packed.RBCrypt.A.Gen application cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP49\A0003965.rbf Win32/Packed.RBCrypt.A.Gen application cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP49\A0003997.rbf Win32/RegistryBooster application cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP49\A0003998.rbf Win32/RegistryBooster application cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP49\A0003999.rbf Win32/RegistryBooster application cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP49\A0004000.rbf Win32/RegistryBooster application cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP49\A0004001.rbf Win32/RegistryBooster application cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP51\A0004115.rbf Win32/RegistryBooster application cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP51\A0004116.rbf Win32/RegistryBooster application cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP51\A0004117.exe Win32/RegistryBooster application cleaned by deleting - quarantined

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:02 PM

Posted 26 January 2011 - 12:46 PM

Anything related to Win32/Packed.RBCrypt.A.Gen in the System Volume Information folder is safe to remove. Looks like most of the detections were related to RegistryBooster so you may just want to uninstall it.

Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for several reasons:

:step1: Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.

:step2: Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.

:step3: Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.

:step4: Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.

:step5: The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".

Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users