Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Want to find out if I am clean now!


  • Please log in to reply
No replies to this topic

#1 RossNashwan

RossNashwan

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 21 May 2011 - 05:00 PM

Hi there

Some time ago I believe I was infected via some sort of flash-based malware. It put the Total Security fake anti-virus on my system, which I managed to stop running by being quick on the ctrl-alt-del as soon as windows started, and killing its process. At the time I used Malwarebytes to get rid of it. However, over the last month or so, odd things keep happening that may or may not be connected.

I noticed that my password forms would be reset, meaning I would have to re-enter them, which made me suspicious. Around the same time, Microsoft Security Essentials found and removed PWS:Win32/Zbot, though this keeps coming back. I found a website online that directed me to look in C:\Documents and Settings\<username>\Application Data (I am running XP) and sure enough found a randomly named folder in there. This is one folder that has regenerated itself, always with a random 4 character name, and containing an exe with a 5 character name. When that folder came back, my firewall (Zonealarm) also detected a file with a random name, but of the format 0.xxxxxxxxxxxxxxxx.exe where the x's are numbers. The 5 character program also adds itself to my startup files, which I checked using start > run > msconfig.

I also started getting problems with my ATI graphics monitoring program, CCC, where it would crash on startup (I reinstalled it and seems ok now) as well as odd graphical glitches and instability within ZoneAlarm (also reinstalled whilst in safemode). The settings window for Java in 'Control Panel' was also corrupted, looking like graphical gobbledigook So I re-installed Java. I have run a number of the free antimalware programs - Malwarebytes, IOBit360 and Microsoft Security Essentials. The latter two are running all the time, Malwarebytes I use as passive scan. According to them my system is currently clean but infections keep returning.

MSE also recently detected the following: Exploit:Win32/Pdfjsc.PE, Exploit:JS/Mult.DL and TrojanSpy: Win32/Delf.CL and removed them.

However I have also been getting redirects in Firefox via google.ad.sgdoubleclick, where google searches are hijacked and I am taken to an advert site rather than what I clicked on. I found some advice on Bleeping Computer HERE, some of which I followed:

-Cleared java cache
-Ran TDSS killer (no infection found)
-Ran TFC temp file cleaner
-Ran RKUnhookerLE but had no clue what I was looking at :)
-Ran DDS, but it doesn't want to work - the DOS window doesnt open, and I just get a notepad document of more gobbledigook. My machine has given it the icon of an AutoCad script, so maybe my Autodesk Inventor installation has claimed it for its own?

Basically because this stuff keeps coming back, I am concerned something has dug its claws in deep and that even the three programs I have on the system just aren't finding the root of it.

Can anyone help me find out whats going on? Thanks in advance!

EDIT: Sys Specs:

AMD Athlon X2 4800+
ATI HD3850
2GB RAM
Windows XP 32 BIT (All updates installed)

Edited by RossNashwan, 22 May 2011 - 09:29 AM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users