Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Think I may be infected


  • This topic is locked This topic is locked
18 replies to this topic

#1 Sign

Sign

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 24 April 2011 - 12:24 AM

Hello this is my first time posting here. I've tried to look for a solution to my problem but I cannot find it. I am running XP Professional.

I've ran Kaspersky and while it says there is nothing infected on my computer, I definitely know something is wrong. Usually when I click a link on Google I'll be redirected to random suspicious websites. I also look into the Windows Task Manager and if I've had my PC on for some time svchost.exe will have the top memory usage. This has never been the case before and I've read this might be due to malware infecting it. Any and all help with my problem would be appreciated. I'm afraid to do much with my computer.

Edit: I have noticed with the Kaspersky notifications that svchost.exe is trying to download malicious software.

Edited by Sign, 24 April 2011 - 03:03 AM.


BC AdBot (Login to Remove)

 


#2 Sign

Sign
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 24 April 2011 - 06:36 PM

Any help would be greatly appreciated : [

#3 Computerproblem101

Computerproblem101

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 24 April 2011 - 06:44 PM

Hi Sign. I'm going to ask you to download Malwarebytes from Http://www.malwarebytes.org and download SAS from Http://www.superantispyware.com as well. Update both of these programs until you have the latest database. Turn your PC off, boot it into safe mode *Begin tapping the F8 key every few seconds as the system boots up until the screen offering the Safe Mode option appears.* and run Superantispyware full scan, Malwarebytes quick scan. This should take care most of the problem, you will now restart your computer *non safe mode* and let me know how that went, I will then be able to give you further instruction on how to clean up the rest. It appears you have a little bit of everything going on, but it seems like it's fixable. - good luck.

#4 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:11:11 PM

Posted 24 April 2011 - 07:05 PM

Don't run MBAM in safe mode. It's more effective in normal mode.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#5 Computerproblem101

Computerproblem101

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 24 April 2011 - 07:06 PM

Don't run MBAM in safe mode. It's more effective in normal mode.



That's the first time I have heard this, spyware has been known to terminate Malwarebytes if it's still active in non safe mode, could you tell me why MBAM is less effective in safe? Thanks.

#6 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:11:11 PM

Posted 24 April 2011 - 07:10 PM

It's the way MBAM loads it's series of drivers. It has a low-level driver that doesn't work in safe mode, and that's why it is more effective in normal mode. and SAS will terminate it because they are two of the same type of tool and they will cause conflicts if run together.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#7 Sign

Sign
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 24 April 2011 - 10:06 PM

I ran MBAM in both safe and regular mode, and while it didn't find anything SAS found a considerable amount of infections on my computer. However the problem still remains, I am getting notifications of svchost.exe trying to download from sites and I am being redirected from Google links.

Edit: Random websites some times pop up too whenever I am surfing the web.

Edited by Sign, 25 April 2011 - 05:07 PM.


#8 Computerproblem101

Computerproblem101

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 25 April 2011 - 07:59 PM

Go here: http://www.safer-networking.org/en/spybotsd/index.html

Download Spybot Search And Destroy 1.62 - update it, turn computer off & boot into safe mode. *IMPORTANT* - right click Spybot and click Run As Administrator, failure to do so will result in infections not being removed due to improper elevation level.

Run the scan, remove anything found *if you see some PUP's, let us know and we will direct as to whether you should remove those or not*

Let me know how that went and I will then instruct you further

#9 Sign

Sign
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 26 April 2011 - 04:46 PM

Didn't have any PUPs but it found some infections on my computer. The problem still exists though, random redirects, svchost.exe is still trying to download malicious content. Dunno if this is relevant but my computer makes a single beeping sound when I'm asked to choose my profile. It also starts with My Documents open even though I hadn't opened it before.

#10 Computerproblem101

Computerproblem101

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 26 April 2011 - 07:53 PM

Can you give me an example of what Spybot found? You will need to run more scans, but what you run will be dependent on what Spybot found

#11 Sign

Sign
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 26 April 2011 - 11:40 PM

I can't really remember but there was something called CoolWWWsearch or something along those lines. I'm sorry, It found some security and malware things but I can't recall the names :(

#12 Computerproblem101

Computerproblem101

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 27 April 2011 - 05:49 PM

Run Trend Micro Housecall and let me know what it finds. http://housecall.trendmicro.com/

#13 Sign

Sign
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 27 April 2011 - 08:34 PM

Only found one threat. ehitevok.dll

#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:11 PM

Posted 27 April 2011 - 10:11 PM


Don't run MBAM in safe mode. It's more effective in normal mode.



That's the first time I have heard this, spyware has been known to terminate Malwarebytes if it's still active in non safe mode, could you tell me why MBAM is less effective in safe? Thanks.


Here's the answer to that question:

Scanning with MBAM in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, it loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Doing a safe mode scan should only be done when a regular mode scan fails.

If one cannot use or complete a scan in normal mode, then one uses a Quick Scan in "Safe Mode".

~ OB

@ sign,

Did you run MBAM? If so, please post the log. If you haven't, please do so.

~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#15 Sign

Sign
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 28 April 2011 - 11:18 AM

I've ran it a few times over the past few days so I'll post those logs.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6422

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/22/2011 11:14:27 PM
mbam-log-2011-04-22 (23-14-27).txt

Scan type: Quick scan
Objects scanned: 225787
Time elapsed: 25 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\6to4ex.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\ftfiocz.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\6to4ex.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{35dc3473-a719-4d14-b7c1-fd326ca84a0c}.job (Trojan.Downloader) -> Quarantined and deleted successfully.


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6422

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/22/2011 10:42:33 PM
mbam-log-2011-04-22 (22-42-33).txt

Scan type: Quick scan
Objects scanned: 62181
Time elapsed: 15 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Dropper) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Miles\local settings\Temp\oxwrcasnem.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\iirw\setup.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\agva\setup.exe (Adware.WebSearch) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\qhvx\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6422

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/22/2011 10:26:52 PM
mbam-log-2011-04-22 (22-26-52).txt

Scan type: Quick scan
Objects scanned: 52633
Time elapsed: 2 minute(s), 2 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
c:\WINDOWS\Temp\Tfq.exe (Trojan.Downloader) -> 452 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2EOETFM3W2 (Trojan.Downloader) -> Value: 2EOETFM3W2 -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\D1T2EUR7FZ (Trojan.Downloader) -> Value: D1T2EUR7FZ -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Temp\Tfq.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\Tfr.exe (Trojan.Downloader) -> Quarantined a

And I ran it right before I posted here and it found nothing.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users