Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hit by fake malware detector


  • Please log in to reply
7 replies to this topic

#1 Karaz

Karaz

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 05 June 2011 - 01:33 AM

Hey guys, I'm a long time lurker and this site has helped me out many times in the past, but this time I got hit with something that won't go away.
At first it was just the fake xp security center thing and I removed that, but it kept coming back. After awhile it stayed dead but today I got hit with Malware Detector and it made opening any executable or file impossible (running malwarebytes in safemode as an administrator cleared some of it), but I can tell I'm still infected. All of my google searches are redirected to random pages, logging into steam will crash my computer, and I can't get to window's update site.

I haven't run anything and besides coming here my computer has been idle.
I know there's some diagnostic tool I'm supposed to run, but I'm not too sure which to use. Any help will be greatly appreciated. Thank you for your time

edit: grammar

Edit 2: Folling the guide Winterland suggested I wrote out a better detailed account of what's happened so far below

Edited by Karaz, 05 June 2011 - 09:03 AM.
Moved from XP to Am I infected.


BC AdBot (Login to Remove)

 


#2 Winterland

Winterland

  • Members
  • 980 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Enchantment
  • Local time:01:47 AM

Posted 05 June 2011 - 08:20 AM

Hello Karaz, I think you might want to start here: http://www.bleepingcomputer.com/forums/topic182397.html


And don't forget to let the folks know what your hardware is, what OS you're running, etc.


From what I've seen, the more info, the better.


Sorry you got hit, good luck with the resolve.


Winterland

Photobucket removed my cool flag - idiots!

 

Every calculation based on experience elsewhere fails in New Mexico.


#3 Karaz

Karaz
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 05 June 2011 - 08:56 AM

I just noticed that I was moved to the i am infected forum (I didn't know it existed).

Ok I'll give the best descriptions I can, I'm running Windows XP Service Pack 3 (32bit), Pentium Dual-Core CPU E5200 @ 2.50GHz, 2.50GHz, and 3.5GB RAM

I'm using firefox 4 as my default browser and the latest IE update when using Microsoft's site.

I got hit with a variant of the fake Firewall virus a few weeks ago(Mine was Windows XP Firewall IIRC, basically it killed Security Essentials, Killed my real Security Center and kept any antivirus tool I had from opening) I googled the program name and stumbled upon bleeping computer's remedy (Involving RKill.com, FIXNCR.reg and Malwarebytes.) It was cleared it for a little, I guess it didn't get all the traces and it came back, I got rid of it again and went searching for the files that MB said were the cause and found a couple of other files that it left behind and I deleted those as well. Things were good for a few days.

That wasn't enough as the virus upgraded itself last night to something called Malware Detector that would not allow me to open any file at all, it would pop up a fake alert saying it was infected with a wormblaster trojan, I went into safemode and using malwarebytes on my administrator account it found 550+ files that were malicious/infected, and I deleted them thinking that was it. After I went back in with my normal account I notice that my google clicks are being redirected to random sites, if I don't use google it will open up pages to a random site, and if I try to log into Steam my computer will crash. I've tried to find a way to resolve these issues but since there isn't much for me to go on, my google-fu is pretty weak.

What's the next step I should take to find out (and get rid of) what's infecting my computer?

Edit: I remember getting infected with a virus when searching for an article (some trashy hollywood gossip about the Akira live action movie) my friend was trying to look up, I opened way too many tabs so I can't recall the site I went to, but my normal web browsing has never infected me before

-I'm running Security Essentials (first time since the outbreak) and it's still finding malicious programs, MB randomly opened while SE was running as well, I don't know how that will affect the results of SE has MB finished first and found five infected objects.

-I know it's bad to have two antivirus programs installed, but SE is my main and I use MB when it get's crippled, I usually uninstall MB after everything is fixed; results from SE, it found rootkit:AlureonMbr it's taking awhile to remove it, but I doubt this will be the end of it

-After all of that, my computer is still infected, it quaranteened the rootkit but my searches are still redirected and Steam still BSODs my computer. I haven't tried re-installing Steam, I'm waiting until this gets cleared

Hopefully final edit. I googled Rootkit Removal (since it was only quaranteed and not removed) and came across something called TDDSKiller. I ran that in safe mode it found one rootkit and a suspect file, I quaranteened the suspect and cured the rootkit, everything is working fine now. (Steam is even working right haha). It seems as though my stored logins like aim and steam were reset though. I'll live nothing sensitive was stored on this thing

TL;DR - NEVERMIND I FIXED IT LOL

Edited by Karaz, 05 June 2011 - 10:16 AM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:47 AM

Posted 05 June 2011 - 04:49 PM

Ok. good, sorry for the slow replt as we are busy.

The TDSS rootkithas stolen alll your passwords and they need to be changed I would also like you to run these and see if something is left.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.


Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Karaz

Karaz
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 06 June 2011 - 07:01 PM

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6773

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/6/2011 8:00:43 PM
mbam-log-2011-06-06 (20-00-43).txt

Scan type: Quick scan
Objects scanned: 210294
Time elapsed: 23 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 135

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\WINDOWS\system32\xmldm (Stolen.Data) -> Delete on reboot.

Files Infected:
c:\WINDOWS\Temp\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000554.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000555.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000556.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000557.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000558.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000559.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000560.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000561.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000562.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000563.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000564.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000565.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000566_ifrm.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000567.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000568.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000570.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000571.frm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000572.frm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000573.frm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000574.frm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000575.frm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000576.frm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000577.frm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000578.frm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000579.frm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000580.frm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000581.frm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000582.frm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000583.frm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000584.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000586.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000587.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000588.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000589.frm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000590.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000591.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000592.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000593.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000594.frm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000595.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000596.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000597.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000598.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000599.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000600.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000553.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000569.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000585.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000601.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000617.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000633.frm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000649.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000602.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000603.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000604.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000605.frm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000606.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000607.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000608.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000609.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000610.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000611.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000612.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000613.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000614.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000615.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000616.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000538.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000539.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000540.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000541.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000542.frm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000543.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000544.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000545.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000546.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000547.frm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000548.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000549.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000550.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000551.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000552.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000618.key (Stolen.Data) -> Delete on reboot.
c:\WINDOWS\system32\xmldm\188_ff_0000000619.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000620.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000621.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000622.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000623.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000624_ifrm.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000625.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000626.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000627.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000628.frm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000629.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000630.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000631.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000632.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000634.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000635.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000636.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000637.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000638.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000639.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000640.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000641.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000642.frm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000643.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000644.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000645.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000646.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000647.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000648.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000650.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000651.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000652.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000653.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000654.frm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000655.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000656.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000657.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000658.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000659.frm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000660.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000661.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000662.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000663.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000664.key (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000665.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000666.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000667.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000668.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000669.pst (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000670.htm (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xmldm\188_ff_0000000671.key (Stolen.Data) -> Quarantined and deleted successfully.


wow not as safe as I thought I was... I'm a little scared because I made a few purchases online and had to access my bank account too yesterday...

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:47 AM

Posted 06 June 2011 - 07:46 PM

Hmm,looks like a variant of Trojan Banker. Once installed and executed, the trojan-spy logs all keystrokes entered into a web form; the stolen information can then be retrieved by the attacker.

As you have Banked This is Important
This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Karaz

Karaz
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 06 June 2011 - 07:59 PM

Ouch... I guess it's time for me to format this hard drive again (I used to do that in the past but I have way too many games to back up this time)
It's about time I upgrade to Windows 7 anyway... This is the last time I go chasing rumors for people haha.

Thanks for your help!

Edited by Karaz, 07 June 2011 - 08:08 AM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:47 AM

Posted 06 June 2011 - 08:26 PM

You're welcome,it's the decision I'd have made if that's any consolation. I'll post this as it can help if you do reinstall.

Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech
Windows XP: Clean Install

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.

==============================

2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.

Since we don't know exactly which infections we're dealing with here, we should take some precautions before we attempt to move files from the infected machine. Run the following on your clean computer, and make sure you insert your flash drives at the prompt.
Download and Run FlashDisinfector

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users