Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm at a loss of what to do next


  • This topic is locked This topic is locked
13 replies to this topic

#1 Tamy

Tamy

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Idaho, US
  • Local time:06:41 PM

Posted 12 February 2011 - 09:39 PM

Hello,
Well it all started a couple months ago - I got a backdoor Trojan called poison something. Dr. web caught and cured that and Malwarebytes picked up a couple Java downloaders with it. This Virus ruined my Avast (full subscription). So I downloaded the free Avira and paid for the Malwarebytes. Things were ok - with the exception that I could not update Java nor could I get rid of the Java 22 update (this is on the 64 bit Windows 7) I was able to remove the Java 22 and update to 23 on my 32 bit - And after much hair pulling out I was able to get the 22 update removed and the update 23 to java updated on the 64 bit part of my computer. Anyway - There have been a few pop ups and something stopped my Avira Guard from updating breifly. The pop ups say: HPSF_ Utils.exe (oxc000007b) unable to start correctly. I do also think it has invaded my full version of Malwarebytes as well, the reason being that if I click on the icon in my bottom tool bar it goes away and does not start or if I click on it in my hidden icons - it fails to start, Malwarebytes also acts strange - like it starts and then just shuts down. If I start it manually it seems ok? Well, last week my Zonealarm fire wall flagged Avscan.exe as a Wootbot worm and said not to let it access the internet? I thought that avscan was part of my Avira - there are too many conflicting stories when I tried to look it up? So I wonder if this Virus has overtaken the Avira too?
So last but not least I tried an F-secure online scan - HOLY MACKEREL - my computer went crazy tonight! The Pop ups (described above) went crazy and my Zonealarm firewall too! OMGoodness - I almost couldn't keep up! Well there is something there - but what ever it is is really smart - because - the F-secure didn't run very long after detecting and when I hit the Clean - it cleaned for two hours and I finally gave up and closed it - with out it telling me what it had caught - what ever it was it was two of them! Also at the same time that the f-secure scan quit - Zonealarm flagged that my Zonealarm Forcefield wanted to access the internet - well dummy me allowed it and then that is when f-secure just kept running for two hours saying it was cleaning the 2 virus's - so I'm thinking this virus tricked my firewall and then me?? There is one other thing - twice my key board has acted strange - in that - say I hit an A it would bring up an O - I know this can't be good - can anyone help me figure out what to do next?

Thank you :huh:
Tammy

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:41 PM

Posted 12 February 2011 - 10:59 PM

Hello Tammy, I would like to try this.

Reboot into Safe Mode with Networking
How to start Windows 7 in Safe Mode

>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.

Edited by boopme, 12 February 2011 - 10:59 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Tamy

Tamy
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Idaho, US
  • Local time:06:41 PM

Posted 13 February 2011 - 09:24 AM

Good Morning Boopme,

I have completed as you suggested with RKill.
At first - I didn't think is was going to do anything because the black box stayed open for a couple minutes.
I already had the free version of SAS on my computer - so I updated and ran a scan - woohoo it found 4 trojans.
This virus must have taken over my SAS as well - because I ran a scan every week with it and it only would find the cookies.
I had to reboot to fully remove them. I ran a MBAM quick scan - but I didn't go back into safe mode to do this - Should I have?
Thank you So much for all your Help Boopme!!!


Here is the SAS log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/13/2011 at 06:52 AM

Application Version : 4.46.1000

Core Rules Database Version : 6387
Trace Rules Database Version: 4199

Scan type : Complete Scan
Total Scan Time : 01:09:00

Memory items scanned : 386
Memory threats detected : 0
Registry items scanned : 13717
Registry threats detected : 0
File items scanned : 155145
File threats detected : 14

Adware.Tracking Cookie
C:\Users\tamhbrih\AppData\Roaming\Microsoft\Windows\Cookies\tamhbrih@adxpose[1].txt
C:\Users\tamhbrih\AppData\Roaming\Microsoft\Windows\Cookies\tamhbrih@atwola[1].txt
C:\Users\tamhbrih\AppData\Roaming\Microsoft\Windows\Cookies\tamhbrih@tacoda.at.atwola[1].txt
C:\Users\tamhbrih\AppData\Roaming\Microsoft\Windows\Cookies\tamhbrih@collective-media[2].txt
C:\Users\tamhbrih\AppData\Roaming\Microsoft\Windows\Cookies\tamhbrih@ads.bleepingcomputer[1].txt
C:\Users\tamhbrih\AppData\Roaming\Microsoft\Windows\Cookies\tamhbrih@insightexpressai[2].txt
C:\Users\tamhbrih\AppData\Roaming\Microsoft\Windows\Cookies\tamhbrih@invitemedia[1].txt
C:\Users\tamhbrih\AppData\Roaming\Microsoft\Windows\Cookies\tamhbrih@ar.atwola[2].txt
C:\Users\tamhbrih\AppData\Roaming\Microsoft\Windows\Cookies\tamhbrih@at.atwola[1].txt
C:\Users\tamhbrih\AppData\Roaming\Microsoft\Windows\Cookies\tamhbrih@ar.atwola[1].txt

Trojan.Agent/Gen-IEFake
C:\USERS\TAMHBRIH\APPDATA\LOCAL\TEMP\RARSFX0\H\IEXPLORE.EXE
C:\USERS\TAMHBRIH\APPDATA\LOCAL\TEMP\RARSFX0\PROCS\IEXPLORE.EXE

Trojan.Agent/Gen-IExplorer[Fake]
C:\USERS\TAMHBRIH\APPDATA\LOCAL\TEMP\RARSFX0\NIRD\IEXPLORE.EXE

Trojan.Agent/Gen-PEC
C:\USERS\TAMHBRIH\APPDATA\LOCAL\TEMP\RARSFX0\PROCS\EXPLORER.EXE

AND HERE is the MBAM Log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5753

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

2/13/2011 7:07:16 AM
mbam-log-2011-02-13 (07-07-16).txt

Scan type: Quick scan
Objects scanned: 176210
Time elapsed: 5 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:41 PM

Posted 13 February 2011 - 03:00 PM

Hello Tammy,no neeter to run MBAM in normal when you can.

Let,s run a TDSS check first and then an Online scan now and see what it finds.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


Please perform a scan with Eset Online Antiivirus Scanner.
This scan requires Internet Explorer,Opera or Firefox to work. Vista/Windows 7 users need to run Internet Explorer as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Tamy

Tamy
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Idaho, US
  • Local time:06:41 PM

Posted 13 February 2011 - 03:25 PM

Hi Boopme,
Well, I re-ran the rkill after reading about it and my report from the first run - did not show that it killed any process's and just finished running another SAS scan and now it picked up 8 more trojans :wacko:

I just finished running the TDSS Killer and it found nothing!
I'm having a problem with the eset scanner though! I start explorer with admin - but when I click on your link to go to the eset - it opens up a new window that is not admin rights.

should I just go directly to their website? or is there another way! Sorry - I'm not real savvy to these things :o

Thank You for all your help!

Tammy

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:41 PM

Posted 13 February 2011 - 03:41 PM

Note the green text in the ESET instructins.
right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.

Can you tell me the 8 more trojans
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Tamy

Tamy
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Idaho, US
  • Local time:06:41 PM

Posted 13 February 2011 - 05:34 PM

Well I finally got it to run - it was very strange because after I accepted the user license it opened and all it showed was a picture icon - I kept clicking on that and then it asked me to install the active x - when I said yes it popped a box and said something like it you resend this information you may be charged twice. It just finished the scan and did not give me an option to save a log - so I copied and pasted in the run
C:\Program Files\ESET\EsetOnlineScanner\log.txt - but there it tells me there is no log?? It ran for 1:17 minutes and said there was no virus's?

Here is the 2nd log on SAS that shows the 8 trojans:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/13/2011 at 06:52 AM

Application Version : 4.46.1000

Core Rules Database Version : 6387
Trace Rules Database Version: 4199

Scan type : Complete Scan
Total Scan Time : 01:09:00

Memory items scanned : 386
Memory threats detected : 0
Registry items scanned : 13717
Registry threats detected : 0
File items scanned : 155145
File threats detected : 14

Adware.Tracking Cookie
C:\Users\tamhbrih\AppData\Roaming\Microsoft\Windows\Cookies\tamhbrih@adxpose[1].txt
C:\Users\tamhbrih\AppData\Roaming\Microsoft\Windows\Cookies\tamhbrih@atwola[1].txt
C:\Users\tamhbrih\AppData\Roaming\Microsoft\Windows\Cookies\tamhbrih@tacoda.at.atwola[1].txt
C:\Users\tamhbrih\AppData\Roaming\Microsoft\Windows\Cookies\tamhbrih@collective-media[2].txt
C:\Users\tamhbrih\AppData\Roaming\Microsoft\Windows\Cookies\tamhbrih@ads.bleepingcomputer[1].txt
C:\Users\tamhbrih\AppData\Roaming\Microsoft\Windows\Cookies\tamhbrih@insightexpressai[2].txt
C:\Users\tamhbrih\AppData\Roaming\Microsoft\Windows\Cookies\tamhbrih@invitemedia[1].txt
C:\Users\tamhbrih\AppData\Roaming\Microsoft\Windows\Cookies\tamhbrih@ar.atwola[2].txt
C:\Users\tamhbrih\AppData\Roaming\Microsoft\Windows\Cookies\tamhbrih@at.atwola[1].txt
C:\Users\tamhbrih\AppData\Roaming\Microsoft\Windows\Cookies\tamhbrih@ar.atwola[1].txt

Trojan.Agent/Gen-IEFake
C:\USERS\TAMHBRIH\APPDATA\LOCAL\TEMP\RARSFX0\H\IEXPLORE.EXE
C:\USERS\TAMHBRIH\APPDATA\LOCAL\TEMP\RARSFX0\PROCS\IEXPLORE.EXE

Trojan.Agent/Gen-IExplorer[Fake]
C:\USERS\TAMHBRIH\APPDATA\LOCAL\TEMP\RARSFX0\NIRD\IEXPLORE.EXE

Trojan.Agent/Gen-PEC
C:\USERS\TAMHBRIH\APPDATA\LOCAL\TEMP\RARSFX0\PROCS\EXPLORER.EXE

The second RKILL - did kill 1 process:
C:\Windows\SysWOW64\InfDefaultInstall.exe

I wonder if I'm still infected? Should I try the RKILL again?

Thank You Boopme - your help is truly appreciated!
Tammy

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:41 PM

Posted 13 February 2011 - 08:38 PM

Ok Tammy, looks good. With ESET In some instances if no malware is found there will be no log produced.

Can you update yet?
Here's the reply when someone's Java is out of date with instructions to Update/install.

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Microsoft: ‘Unprecedented Wave of Java Exploitation’
Drive-by Trojan preying on out-of-date Java installations
Ghosts of Java Haunt UsersPlease follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows" (32-bit) or "Windows x64" (64-bit).
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "I agree to the Java SE...License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.


After rebooting Update and run an AVira scan.
Let me know
And you are quite welcome.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Tamy

Tamy
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Idaho, US
  • Local time:06:41 PM

Posted 13 February 2011 - 09:53 PM

Hi Boopme,
Well, I think you may have mis-understood me. Referring to my first post - I was able to finally get the Java updated on the 64 bit. My immediate issue was that Zonealarm flagged avscan.exe as the Wootbot worm - I thought that avscan.exe was part of my Avira and in searching I was getting conflicting information so I tried to run an F-secure online scan and my computer went crazy.
If you get two message's on this - I'm sorry - for some reason the first did not post? Anyway I'm running a SAS scan in normal mode and it picked up more trojans - this time four of them - I was thinking that maybe it is picking up it's own quarentine folder - but if so - then it should be showing 12 not 4 - should I delete the ones in quarentine and re run it? I have ran Malwarebytes and Avira in normal mode and they are not picking anything up?

I'm sorry for the confusion from my first post!

Tammy

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:41 PM

Posted 13 February 2011 - 10:21 PM

Hello,perhaps I did.. avscan.exe if Avira will be in C:\Program Files

I would need the log to confirm these trojans names and location.

Trojan.Agent/Gen-PEC may log user information and possibly block access to certain security related sites.

Trojans are programs that can appear to serve a legitimate purpose but actually have an unwanted or harmful effect.

A large segment of trojan programs download other harmful software components to a user's PC without his/her knowledge.

This application is most likely downloaded and installed by another application that is considered to be adware or spyware.


Worm.Wootbot is also known as W32.IRCBot


These are serious infections and keep dropping others. So I must post this advice.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Tamy

Tamy
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Idaho, US
  • Local time:06:41 PM

Posted 13 February 2011 - 10:37 PM

Thank You so much for all your help!
I was so hoping you would not tell me I needed to reformat - only because I don't know what I'm doing! But I really appreciate all your help anyway!

Thanks Boopme!

Best Wishes to you!
Tammy

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:41 PM

Posted 13 February 2011 - 10:46 PM

Hey Tammy, You are so welcome... If you would like to try avoiding the reformat we can go here.
But DO change those passwords.
If needed wecan take you thru a reformat.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.

Let me know if that went well.

Either way we'll take care of you.

Be well.
boop
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Tamy

Tamy
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Idaho, US
  • Local time:06:41 PM

Posted 14 February 2011 - 08:04 PM

Thank You Boopme,
I just got home from work and I will try this shortly!

Thank you Thank you Thank You!!!!!!!!11 :busy:

#14 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 AM

Posted 14 February 2011 - 11:33 PM

Malware topic here: http://www.bleepingcomputer.com/forums/topic379605.html

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MR Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users