Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

happens even to the best of us


  • This topic is locked This topic is locked
37 replies to this topic

#1 herg62123

herg62123

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:08:46 PM

Posted 11 June 2011 - 02:19 PM

this is embarrassing but even the best of will get caught. guess it is my time now. <_<


ok my back story:

i am in the training class here and was working on my practice examples when i noticed a file on my desktop called (desktop.ini).

i was wondering why that showed so i opened the file and saw a line that resembled a folder location i have seen before in my studies.

i started snooping around and found a file that was only a day old in creation but was almost 4gb insize.

starting looking around and starting seeing in several folders a similar desktop.ini file.

right then i knew i was infected with something but not really sure what yet.

started looking in most common folders (didn't try to remove, only look) infections hide and did some research and from my gathering and found it to be an irc trojan backdoor (i think it is the flood version).

i have noticed high cpu usage on all 3 of my computers and the only thing these 3 computers have in common is my router. right then i reset my router, according to manufacture, to completely reset the router and then unplugged it from the wall for time being.

i have run malwarebytes and on all 3 computers it shows - trojan backdoor - at least 50 times or more on each machine.

i realized this goes above my knowledge when i forgot to update malewarebytes and so i waited for malwarebytes to finish then i updated it. once updated i ran a full scan again. this time it found even more than last. i thought cause i updated malwarebytes was the reason. to make sure i ran malwarebytes a third time and found even more again. so by now i figured this trojan is replicating itself and reinstalling the missing files.

well this is now where i am at.

i am a study hall student (fyi) but still in the early stages, so i will be needing help on how to address this trojan as well as help on removing the trojan from my computers.

(fyi - i have a xp desktop, vista laptop, and windows 7 netbook - all 3 of these machines have the same trojan/virus in them.)
Posted Image

BC AdBot (Login to Remove)

 


#2 herg62123

herg62123
  • Topic Starter

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:08:46 PM

Posted 11 June 2011 - 02:29 PM

since i am not currently at home right now, i will post a Run DDS Log, GMER Log soon.
Posted Image

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:46 PM

Posted 11 June 2011 - 02:41 PM

Hi there,

No worries.....

Could you please also post the MBAM logs along with the others? :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 herg62123

herg62123
  • Topic Starter

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:08:46 PM

Posted 12 June 2011 - 09:42 AM

ok windows 7 netbook is out now. i powered it on this morning to run the logs to post and while it was powering on a nice black screen came up and said boot record not found. it would not go any further. so now we are down to 2 computers. this one will be reinstalled from scratch from boot up disks.


time to power the laptop and hope that dont happen.


update: laptop is working kinda

Edited by herg62123, 12 June 2011 - 10:04 AM.

Posted Image

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:46 PM

Posted 12 June 2011 - 01:34 PM

Hello,

Are the 3 networked? If so, they need to be taken off and separated. When you reinstall W7, do NOT network it with the others. Are you able to get any log from the other 2?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 herg62123

herg62123
  • Topic Starter

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:08:46 PM

Posted 12 June 2011 - 03:45 PM

it is taking me some time on the laptop. soon as i can i will post the log on the laptop.


all 3 of these are wireless but have turned thw wireless feature off. i have also unplugged the router as well.


the laptop is running so slow right now but it is working. soon as the report shows up i will paste. sorry for the delay but i can only go as fast as the computer is letting me.

Edited by herg62123, 12 June 2011 - 03:57 PM.

Posted Image

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:46 PM

Posted 12 June 2011 - 03:56 PM

Good. :thumbup2: Good.....they don't need to be hooked back together until all are clean. Otherwise, you know what will happen.........?

Post when you're ready. I'm still here close by for some hours yet and will be notified. :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 herg62123

herg62123
  • Topic Starter

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:08:46 PM

Posted 12 June 2011 - 09:34 PM

here is one of my mbam file:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6822

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

6/10/2011 1:05:52 AM
mbam-log-2011-06-12 (01-05-52).txt

Scan type: Quick scan
Objects scanned: 163294
Time elapsed: 8 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MyWebSearch.ThirdPartyInstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Posted Image

#9 herg62123

herg62123
  • Topic Starter

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:08:46 PM

Posted 12 June 2011 - 09:36 PM

here is the second mbam file:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6832

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

6/11/2011 4:20:21 AM
mbam-log-2011-06-12 (04-20-21).txt

Scan type: Full scan (C:\|)
Objects scanned: 222278
Time elapsed: 1 hour(s), 47 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Owner\AppData\Local\virtualstore\program files\ocp software\wince cab manager\Stubs\1d0fc5890b54cc6d449ec5a61be10a8917ca0\cecabmanager.exe.5449a0.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\virtualstore\program files\ocp software\wince cab manager\Stubs\1d0fc5890b54cc6d449ec5a61be10a8917ca0\cecabmanager.exe.112c14f0.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\virtualstore\program files\ocp software\wince cab manager\Stubs\1d0fc5890b54cc6d449ec5a61be10a8917ca0\cecabmanager.exe.113c1140.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\virtualstore\program files\ocp software\wince cab manager\Stubs\1d0fc5890b54cc6d449ec5a61be10a8917ca0\cecabmanager.exe.11a411a8.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\virtualstore\program files\ocp software\wince cab manager\Stubs\1d0fc5890b54cc6d449ec5a61be10a8917ca0\cecabmanager.exe.16341638.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\virtualstore\program files\ocp software\wince cab manager\Stubs\1d0fc5890b54cc6d449ec5a61be10a8917ca0\cecabmanager.exe.1dcf50.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\virtualstore\program files\ocp software\wince cab manager\Stubs\1d0fc5890b54cc6d449ec5a61be10a8917ca0\cecabmanager.exe.328324.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\virtualstore\program files\ocp software\wince cab manager\Stubs\1d0fc5890b54cc6d449ec5a61be10a8917ca0\cecabmanager.exe.4c0710.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\virtualstore\program files\ocp software\wince cab manager\Stubs\1d0fc5890b54cc6d449ec5a61be10a8917ca0\cecabmanager.exe.5881dc.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\virtualstore\program files\ocp software\wince cab manager\Stubs\1d0fc5890b54cc6d449ec5a61be10a8917ca0\cecabmanager.exe.608948.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\virtualstore\program files\ocp software\wince cab manager\Stubs\1d0fc5890b54cc6d449ec5a61be10a8917ca0\cecabmanager.exe.6d8890.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\virtualstore\program files\ocp software\wince cab manager\Stubs\1d0fc5890b54cc6d449ec5a61be10a8917ca0\cecabmanager.exe.6e41334.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\virtualstore\program files\ocp software\wince cab manager\Stubs\1d0fc5890b54cc6d449ec5a61be10a8917ca0\cecabmanager.exe.79c93c.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\virtualstore\program files\ocp software\wince cab manager\Stubs\1d0fc5890b54cc6d449ec5a61be10a8917ca0\cecabmanager.exe.7a0fe0.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\virtualstore\program files\ocp software\wince cab manager\Stubs\1d0fc5890b54cc6d449ec5a61be10a8917ca0\cecabmanager.exe.9208e4.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\virtualstore\program files\ocp software\wince cab manager\Stubs\1d0fc5890b54cc6d449ec5a61be10a8917ca0\cecabmanager.exe.97c84c.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\virtualstore\program files\ocp software\wince cab manager\Stubs\1d0fc5890b54cc6d449ec5a61be10a8917ca0\cecabmanager.exe.bc044c.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\virtualstore\program files\ocp software\wince cab manager\Stubs\1d0fc5890b54cc6d449ec5a61be10a8917ca0\cecabmanager.exe.be47c.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\virtualstore\program files\ocp software\wince cab manager\Stubs\1d0fc5890b54cc6d449ec5a61be10a8917ca0\cecabmanager.exe.c0ab8.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\virtualstore\program files\ocp software\wince cab manager\Stubs\1d0fc5890b54cc6d449ec5a61be10a8917ca0\cecabmanager.exe.da8e58.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\virtualstore\program files\ocp software\wince cab manager\Stubs\1d0fc5890b54cc6d449ec5a61be10a8917ca0\cecabmanager.exe.e8cb7c.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\virtualstore\program files\ocp software\wince cab manager\Stubs\1d0fc5890b54cc6d449ec5a61be10a8917ca0\cecabmanager.exe.fa0ef8.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\virtualstore\program files\ocp software\wince cab manager\Stubs\1d0fc5890b54cc6d449ec5a61be10a8917ca0\cecabmanager.exe.fe4974.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
Posted Image

#10 herg62123

herg62123
  • Topic Starter

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:08:46 PM

Posted 12 June 2011 - 09:56 PM

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit quick scan 2011-06-12 21:54:12
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD2500BEVS-26UST0 rev.01.01A01
Running: xq5vu1em.exe; Driver: C:\Users\Owner\AppData\Local\Temp\uwtoapow.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8604D1F8
Device \Driver\atapi \Device\Ide\IdePort0 8604D1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-4 8604D1F8
Device \Driver\atapi \Device\Ide\IdePort1 8604D1F8
Device \Driver\atapi \Device\Ide\IdePort2 8604D1F8
Device \Driver\atapi \Device\Ide\IdePort3 8604D1F8
Device \Driver\ajspg1j6 \Device\Scsi\ajspg1j61 866011F8
Device \Driver\ajspg1j6 \Device\Scsi\ajspg1j61Port5Path0Target0Lun0 866011F8
Device \FileSystem\Ntfs \Ntfs 8604E1F8

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
Posted Image

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:46 PM

Posted 12 June 2011 - 10:15 PM

Thank you for those. :thumbup2:


This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If McAfee gives you any problems, you may have to temporarily uninstall it. For some reason, this is common with McAfee. <_<

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to herg.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 herg62123

herg62123
  • Topic Starter

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:08:46 PM

Posted 13 June 2011 - 12:57 PM

i do have the dss log as well. i am at work right now and will be home later tonight to post those.


the reason it is taking so long is:

  • my laptop is about 5 years old. it had xp but got a free upgrade to vista when i bought it.
  • my power cord port where i plug in is loose.
  • my powercord itself has a short in it and the only way to charge my laptop is have the pc off or in sleep mode.
  • on top of that these stupid trojans dont help either.

again my dss log i will post tonight and do as you asked above.
Posted Image

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:46 PM

Posted 13 June 2011 - 01:49 PM

It's all right....no need to stress any more than you already are. I know it's frustrating. Post when you're ready. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 herg62123

herg62123
  • Topic Starter

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:08:46 PM

Posted 13 June 2011 - 02:30 PM

good news is:

  • i work for a major retail store that sells batteries for laptops(have to order)
  • we also sell a tosihia universal power cord (in store)
  • and i have purchased a 3 user windows 7 home premium. so i can install windows 7 on my desktop, laptop, and backup for my netbook. of course after my computers are clean first i will install this.
  • my netbook is back up and going again - another good news
  • i am still wanting to check my desktop but i think it is clean.

Posted Image

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:46 PM

Posted 13 June 2011 - 02:37 PM

Up to you....I'll check anything you want me to check. Post when you're ready. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users