Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

i think i have a virus


  • Please log in to reply
12 replies to this topic

#1 snapper23

snapper23

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 26 April 2011 - 04:44 PM

I think i have a virus!
Hi

I load combofix (renaming it) to my desktop from your bleeping computer link - i accept upgrade. Then does its restore saving and then closes leaving only the desktop background image with a popup box titled rootkit saying

combofix has detected the presence of rootkit activity and needs to reboot the machine

i click ok and the machine reboots - it restarts into combofix and then completes its routine - I dont see a problem with the log - but i do note that in c:\recycler i have 2 folders that i cannot remove
:-
1 CSAGGRRNRTBBUTRBGEFGHHWRHTKXBGCCVLVARSQCPDTXP
2 backenv

please advise
regards and many thanx for the support

windows xp pro

Edited by snapper23, 26 April 2011 - 04:45 PM.


BC AdBot (Login to Remove)

 


#2 Computerproblem101

Computerproblem101

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 26 April 2011 - 07:55 PM

Combofix is an absurdly dangerous tool that can blow up the universe if you aren't using it under the supervision of someone in its use.

Please download Malwarebytes from Http://www.malwarebytes.com - update it and run the quick scan. Let us know what it found.

#3 snapper23

snapper23
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 26 April 2011 - 08:27 PM

hi

before i run malware bytes - i have gone in safe mode - ran superantispywafe - log
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/27/2011 at 01:30 AM

Application Version : 4.51.1000

Core Rules Database Version : 6908
Trace Rules Database Version: 4720

Scan type : Complete Scan
Total Scan Time : 01:27:24

Memory items scanned : 220
Memory threats detected : 0
Registry items scanned : 5767
Registry threats detected : 0
File items scanned : 23781
File threats detected : 14

Adware.Tracking Cookie
spe.atdmt.com [ C:\Documents and Settings\snapper\Application Data\Macromedia\Flash Player\#SharedObjects\AMKVXQL4 ]
C:\Documents and Settings\snapper\Cookies\snapper@audience2media[1].txt
C:\Documents and Settings\snapper\Cookies\snapper@invitemedia[1].txt
C:\Documents and Settings\snapper\Cookies\snapper@adxpose[1].txt
C:\Documents and Settings\snapper\Cookies\snapper@revsci[2].txt
C:\Documents and Settings\snapper\Cookies\snapper@at.atwola[2].txt
C:\Documents and Settings\snapper\Cookies\snapper@serving-sys[1].txt
C:\Documents and Settings\snapper\Cookies\snapper@ads.audience2media[1].txt
C:\Documents and Settings\snapper\Cookies\snapper@ar.atwola[1].txt
C:\Documents and Settings\snapper\Cookies\snapper@collective-media[1].txt
C:\Documents and Settings\snapper\Cookies\snapper@ads.aol.co[1].txt
C:\Documents and Settings\snapper\Cookies\snapper@bs.serving-sys[1].txt
C:\Documents and Settings\snapper\Cookies\snapper@tacoda.at.atwola[1].txt
C:\Documents and Settings\snapper\Cookies\snapper@uk.at.atwola[1].txt
removed these then tried to delete the recycler and two new folders appeared on the c:/ drive
1 WFODFWAW
2 DPIQPT with backenv subdirectory
regards - i will now run malware bytes

#4 Computerproblem101

Computerproblem101

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 26 April 2011 - 08:32 PM

Be sure to run Malwarebytes in normal mode, and not safe. Thank you for the SAS log.

#5 snapper23

snapper23
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 26 April 2011 - 08:38 PM

hi
malware bytes ran in normal mode - gave log
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6452

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

27/04/2011 02:34:26
mbam-log-2011-04-27 (02-34-26).txt

Scan type: Quick scan
Objects scanned: 146431
Time elapsed: 2 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

regards

ps it appears that i have deleted recycler folder from c:\ drive when in safe mode

Edited by snapper23, 26 April 2011 - 08:42 PM.


#6 Computerproblem101

Computerproblem101

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 26 April 2011 - 08:46 PM

Thank you. Download http://www.safer-networking.org/en/spybotsd/index.html from here, right click the icon and click Run As Administrator. *required to remove infections or update* - update the program in normal mode, boot into safe mode and again right click the Run As Administrator icon. - run the scan and remove anything found, let me know what that finds.

#7 snapper23

snapper23
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 26 April 2011 - 08:52 PM

hi
do i actually run it in normal mode after update or just accept update then exit to safe mode to run
regards

#8 Computerproblem101

Computerproblem101

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 26 April 2011 - 08:53 PM

You update it in normal mode as in safe mode you don't have internet connection, and you need internet for the update. So you update in normal mode and then exit to Safe Mode to run it.

#9 snapper23

snapper23
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 26 April 2011 - 10:56 PM

Hi

ran s&d in safe mode

'congratulations no immediate threats were found

but another folder has appeared on c:/ drive with another named

backenv sub folder
regards

#10 Computerproblem101

Computerproblem101

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 27 April 2011 - 05:45 PM

Is the machine running OK, but folders are just suddenly appearing? If so, we may need a closer look.

#11 snapper23

snapper23
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 27 April 2011 - 11:16 PM

hi
tha machine appears to be running ok - 1 have 2 folders that appeared after i tried to delete similar folders from 'recycler' - whih i cannot delete
1 is named 'DPIQPT' with a subfolder 'BackEnv' which i cannot access
2 is named 'KFSRIRLA' with a hidden folder named 'CSAGGRRNRTBBUTRBGEFGHHWRHTKXBGCCVLVARSQCPDTXP' - this also has a hidden folder named 'BackEnv' which i cannot access.

these folders appeared after i made attempts to remove combofix from my pc - if i run combofix a 'rootkit' popup box states combofix has detected the presence of rootkit activity and needs to reboot the machine

i click ok and the machine reboots - it restarts into combofix and then completes its routine - I dont see a problem with the log - but i do note that in c:\recycler i have 2 folders that i cannot remove plus the 2 that appeared from trying to delete recycler
regards

ps i think Backenv is the subfolder of qoobox the folder created by combpfix

Edited by snapper23, 27 April 2011 - 11:28 PM.


#12 snapper23

snapper23
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 29 April 2011 - 12:02 AM

hi
do you think i should try unlocker to get rid of these two directories
i have tried sharing to exercise rights to delete them but keep getting access denied
regards

#13 snapper23

snapper23
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 30 April 2011 - 05:02 AM

:blink:
hi
i renamed the 'root' folder to Qoobox and the subfolder to Backenv
i then downloaded combofix to my desktop
i then 'run' the combofix /uninstall as directed by one of your forum replies
this has 'deleted'/'removed' the 'problem folders

i am reluctant to run combofix BUT am still aware that it sensed rootkit activity

your advice please and many thanx for your help on this problem
regards
:wacko:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users