Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Exploit Phoenix Exploit Kit (Type 1450)


  • Please log in to reply
18 replies to this topic

#1 DrProphet

DrProphet

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 17 July 2011 - 11:30 AM

Hi,

I hope i've come to the right place. I have been having recurring trojan/ malware problems causing my desktop PC to run at a snails pace on and off for the past month or so.

As the post suggests the latest find was Exploit Phoenix Exploit Kit (Type 1450)

My PC is running:

Windows XP (I think service pack 3)
My web browser was internet explorer, but I believe my engineer friend has now changed it to Google Chrome on my behalf (Currently not liking it to be honest)

Firewall:
Zone Alarm

The anti-virus software I am running is:
AVG anti-virus free edition (This blocks a threat everyday pretty much)
Spybot Search & Destroy (which today found adware such as adviva, doubleclick, mediaplex & webtrends live)
Malware Bytes (regularly finds trojan's/ viruses etc.)

I also had emisoft a-squared, although i believe this has now been removed by an engineer that I occasionally use for my PC help.

I'm not sure where these viruses spawned from but I stupidly opened an email that I believe was called something along the lines of Canadian pharmacy something-or-other. And since then I've had no end of issues.

The most noticeable problem I am having is constant 50-100% CPU usage, mostly being eaten up by servicehost.exe. Which basically renders my PC useless at some point every time I use it.

No idea what extra information to add to be honest. Whatever info you need, just ask and I will provide.

Thankyou in advance.

P.s. I have also posted this question for a second time in this discussion thread under recurring viruses/ servicehost.exe pain :( I'm sure i'm not supposed to do this, but can't figure out how to delete that post. Can someone please let me know, so I don't have 2 of the same posts running. Thankyou.
Mod Edit: Deleted duplicate ~ Hamluis.

Edited by hamluis, 17 July 2011 - 12:17 PM.
No logs, moved from MRL to AII.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,313 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:04 AM

Posted 17 July 2011 - 05:41 PM

Hello and welcome. Let's get a current log.

We need to disable Spybot S&D's "TeaTimer" if running.
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Mode > Advanced Mode.
    Posted Image
  • You may be presented with a warning dialog. If so, click Yes
  • Click on Tools and then Resident
    Posted Image
  • Uncheck this checkbox: "Resident TeaTimer {protection of over-all system settings) active"
  • Close/Exit Spybot Search and Destroy



Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.



Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.



EDIT: Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Edited by boopme, 17 July 2011 - 05:45 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 DrProphet

DrProphet
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 18 July 2011 - 02:57 PM

Hi Boopme,

Thanks alot for your help.

I have so far run the atf cleaner and a scan with super antispyware. From which the results were pretty impressive, compared to my current AV software.

Can't believe how many threats it found, or more to the point my other AV software neglected to find.

Well, as requested, below is a copy of the Scan Log, from S.A.S :


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/18/2011 at 07:50 PM

Application Version : 4.55.1000

Core Rules Database Version : 7421
Trace Rules Database Version: 5233

Scan type : Complete Scan
Total Scan Time : 01:17:56

Memory items scanned : 221
Memory threats detected : 0
Registry items scanned : 6446
Registry threats detected : 2
File items scanned : 70005
File threats detected : 81

System.BrokenFileAssociation
HKCR\.exe

Adware.Tracking Cookie
C:\Documents and Settings\Dan\Cookies\dan@atdmt.combing[2].txt
C:\Documents and Settings\Dan\Cookies\dan@atdmt.combing[3].txt
C:\Documents and Settings\Dan\Cookies\dan@bs.serving-sys[2].txt
C:\Documents and Settings\Dan\Cookies\dan@atdmt[1].txt
C:\Documents and Settings\Dan\Cookies\dan@atdmt[3].txt
C:\Documents and Settings\Dan\Cookies\dan@atdmt[4].txt
C:\Documents and Settings\Dan\Cookies\dan@atdmt[2].txt
.atdmt.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.cpcadnet.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.cpcadnet.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.2o7.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.2o7.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.2o7.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.2o7.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.specificclick.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.mediabrandsww.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.yieldmanager.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.content.yieldmanager.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.bs.serving-sys.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.avgtechnologies.112.2o7.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.fastclick.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.fastclick.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.fastclick.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.fastclick.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.kontera.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.tribalfusion.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adxpose.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.solvemedia.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.solvemedia.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.doubleclick.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.apmebf.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.mediaplex.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.mediaplex.com [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
s0.2mdn.net [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\GEE59YLS ]
s1.media.howtospendit.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\GEE59YLS ]
spe.atdmt.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\GEE59YLS ]
stat.easydate.biz [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\GEE59YLS ]

Disabled.SecurityCenterOption
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#UPDATESDISABLENOTIFY

I shall now run a Malware Bytes Scan, just wanted to make sure I got this up first. A point of interest I did notice was the detection directly above, regarding Security Center, Update Disable Notify. I'm not entirely sure whether this was caused by myself or a virus.

Reason: I have not been able to switch on my Windows Updates for quite a while now, so it could be regarding that. Or, alternatively, when I mentioned my concerns regarding the balloon pop-up I got everytime at start-up to my engineer, he recommended I go to the security center and switch off this alert. Which I did. So it could be that. I'm sure you will know. I shall now run the MB scan and post the results below.

Thanks again.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,313 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:04 AM

Posted 18 July 2011 - 03:40 PM

A malware more than likely caused the setting to be changed so that you would not be notified of Windows amd/or Antivirus updates .

Edited by boopme, 18 July 2011 - 03:40 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 DrProphet

DrProphet
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 18 July 2011 - 04:01 PM

Ah, as I suspected. Well after an eternity, like everything on my PC currently, here is the Scan Log from Malware Bytes quick scan:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 7193

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

18/07/2011 21:48:26
mbam-log-2011-07-18 (21-48-26).txt

Scan type: Quick scan
Objects scanned: 171023
Time elapsed: 10 minute(s), 17 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
c:\documents and settings\Dan\application data\Epta\daro.exe (Backdoor.Bot) -> 2736 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Dan\application data\Epta\daro.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\documents and settings\default user\start menu\Programs\Startup\igunlo.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\documents and settings\Guest\start menu\Programs\Startup\isihu.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Looks like Backdoor.Bot likes my PC. 4 of them detected in total.


FYI, What a nightmare this was. Whatever virus I seem to have picked up HATES M.B. It takes forever to launch, and it wouldn't allow me to install the latest version after downloading the updates. I got a message informing me that M.B. needed to close to install the latest version, to which I clicked OK. After a couple of minutes, I was asked to select a language, English was preselectd, I clicked OK again, and an alert popped up, saying the following 'This program requires Windows NT version 4.0 or later.

Other possibly useful info, I had another visit from Exploit Phoenix Exploit Kit earlier when I got home from work. I opened my email account to check my emails, there was nothing of any importance in there, so I didn't open any emails at all, but left myself signed into live messenger. 10 minutes or so later, out of the blue, AVG found a threat. If you like I can post the 2 specific names of these occurences, in my next post, if they would be of any use to you.

I shall now proceed with the security check you requested, and post shortly. (at least as shortly as my processor permits)

Thanks again Boopme, for your prompt replies on this matter.

#6 DrProphet

DrProphet
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 18 July 2011 - 04:34 PM

Ok, well I just downloaded and ran security check.

The results were as follows:

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
AVG 2011
ZoneAlarm
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 21
Java™ 6 Update 3
Java™ 6 Update 5
Out of date Java installed!
Adobe Flash Player 10.0.12.36
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
Zone Labs ZoneAlarm zlclient.exe
``````````End of Log````````````

I hope this helps.

For the record below are the 2 occurences of Exploit Phoenix Exploit Kit (type 1450) That AVG alerted me of:

1st. fregattertoop.com/count/arymdrcla.php (This one happened a couple of days ago)

2nd. red10p.com/count/arymdrcla.php (this was the one that come up today)

Other possibly relevant information:

Whenever I do an M.B. scan it always states that it must restart my PC to complete it's action's. I agree to this but after 10 mins or so of waiting, I feel like my PC has frozen and force it to shutdown via my standby button. I'm sure this isn't healthy for my PC, but i'm just not sure it's gonna shutdown of it's own accord sometimes. Does this prevent M.B. from completing it's quarantining tasks and replant my threats/viruses straight back where they come from?

Also when I shutdown it is delayed regularly by 2 operations...waiting for the following programs to end:

Firstly: hpqtra08.exe

then once this has finished ending comes: base2pane.form

I apologise for all the random information, i'm just trying to provide as much info as possible, and am unsure of the relevance of certain items.

#7 DrProphet

DrProphet
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 18 July 2011 - 06:27 PM

ok, i've just been away from my PC for a couple of hours, and guess what. I have received 2 new emails, one in my junk folder 'Max Enlargement Pills' I think we can safely say I won't be opening that. And another in my inbox with just my name as the title, but from a foreign name that I have no knowledge of. Pretty sure they're trying to re-infect me or something. Any chance the virus owner, knows i'm trying to kill their horrible malware?? Or just simple coincidence?? :) I have placed both in my junk folder for now. What action would you recommend for these, and for fear of sounding melodramatic, would it be worth changing my online banking passwords etc. On my laptop, Not this ridden thing obviously??

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,313 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:04 AM

Posted 18 July 2011 - 06:44 PM

Ok, I have to ask you to consider this next,

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 DrProphet

DrProphet
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 19 July 2011 - 12:55 PM

Hi Boopme,

Thanks for the advice. I have in fact been considering a reformat, although I could use some advice on the best way to go about this. I recently bought an external hard drive which is large enough to hold all the files that would require saving. So at least I have that side of things covered, although I have heard of viruses/ malware attaching itself to random files and respawning themselves. Is there a way round this?

I did reformat this PC a couple of years back, when it had DLL issues, but I can't remember exactly how I went about it. I'm sure I had a disk back then, can't say I know of it's location now though. If I can find the windows XP disk would you recommend I reformat using that or should I download a version from the net to use? Could really use some pointers on where to start with a reformat.

Also, what is your opinion on the AV software I use. Do you think it's up to the job, or should I be using something a bit stronger. As previously stated I am currently running, Zone Alarm firewall, AVG as my main defense, followed by Spybot, and regular scans with M.B. Are there any out there that would do the job of a couple of these, so that I didn't require them all? Must say I was impressed with Super Antispyware, but is that a bit overkill for regular use?

Lastly, I'm not enjoying Google Chrome at all? Any other browsers you would recommend?

Sorry about all the questions. Just want to make sure if I do a reformat, that I do it in a sensible way, to try and keep the system as bug free as possible.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,313 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:04 AM

Posted 19 July 2011 - 03:10 PM

Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 DrProphet

DrProphet
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 19 July 2011 - 04:25 PM

Hey boopme,

Thanks for those links. Looks like I have my work cut out. Thanks for the heads up about the external hard-drive too, I can probably avoid that risk anyway. I shouldn't have more than 20GB of pics/music/docs that require backing up, so I should be able to fit that on a few DVD's.

Just out of interest, if the original virus is buried or linked somewhere in my email account, what do I do about that? As, once the clean install has been done, the last thing I want to do is open my email inbox and become reinfected. What options are available to me for this?

Delete email account completely? (I do have a second one available that I can use)
Delete all emails but change password? (i'm presuming I can't forward emails to my new email account for risk of passing on the infection)
Is it likely that the owner of this virus could access my email account at any time.

Would the best policy be to cut all tie's with my current infected email account, and start over?

I will happily only back-up my personal files, so no .exe's or html's. Everything else can be freshly downloaded after all.

Lastly I have browsed through the links you have posted here but am slightly confused, what I am to do. Is it a CLEAN install of Windows XP home edition i'm after? That's pretty much what I have now. One of the links mentioned booting from floppy disks. If I can find the original XP Disc would that be my best option for reformatting?

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,313 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:04 AM

Posted 19 July 2011 - 08:41 PM

You're welcome
I wanted to add 2 other items..
:step1: Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.
Preferably use your disk. You should be able to get your XP Key in Belarc. If needed if you use someone eleses XP disc or download something.

:step2: If you use a Flash drive
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


Just out of interest, if the original virus is buried or linked somewhere in my email account, what do I do about that?

It would be in your Emails not the application. Delete them, changing the password never hurts.


I do not like AVG ,especially the latest. I see too many problems here with it. I would use either AVira or Avast free.
Look here http://www.bleepingcomputer.com/forums/topic366982.html
Keep MBAM and SUPERAntisptware as on demand scanners,Update and scan weekly. ZA is a good firewall.
Also add SpywareBlaster (on that page).
I rann all of these for years on my XP machine


If I can find the original XP Disc would that be my best option for reformatting?
This is the best choice as you can just put it== in the Drive and reboot offf that disk and follow the instructions.

I hope I got it all

Edited by boopme, 19 July 2011 - 08:49 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 DrProphet

DrProphet
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 20 July 2011 - 01:04 PM

Brilliant. That's a great help.

Good news. I found the XP disc last night, in it's packet with the registration key :)

Please excuse my naivety however. Will Putting the XP disc in just reformat my whole PC. ie. overwrite everything that exists there already. (This would be a clean install then?? No traces of any nasties) No prior action required other than backing up my personal files to disc.

I seem to remember something about making a startup disc/ recovery disc if you want to reboot. Does this still exist or is this for some other use entirely? (My computer knowledge ain't what it used to be :))

I intend to perform this reformat this weekend. Could you possibly just confirm that I will be doing things in the correct order?

1. back up files to DVD.
2. Insert XP disc and restart. Follow instructions to install.
3. Reinstall device drivers. (keyboard, mouse, cam)
4. Make sure windows firewall is running.
5. connect to internet.
6. download zone alarm and reinstall.
7. add software. (adobe, microsoft office etc.)
8. Install printer
9. Download antivirus software.
10. Transfer files back on to PC from discs.

Please feel free to add anything you think i've missed, or adjust things if they're a bit topsy turvy.

The only reservations I have are getting back online, but i'm sure i'll remember how to do it, once I get there.

Thanks for all your help with this. I'll come back and let you know how I got on, once i'm up 'n running again.

Just one last thing. Am thinking of trying a new browser. What are opera and firefox like?? any good? Don't want anything too fancy. Do you have any links to browser reviews on this forum, so that I can see what benefits each one offers?

Edited by DrProphet, 20 July 2011 - 01:09 PM.


#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,313 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:04 AM

Posted 20 July 2011 - 08:34 PM

Hello. I haven't done this in a while so if you need specifics just ask in XP as they do it all day.
1. back up files to DVD.
2. Insert XP disc and restart. Follow instructions to install.
3. Reinstall device drivers. (keyboard, mouse, cam)
4. Make sure windows firewall is running.
5. connect to internet.
9. Download antivirus software.
6. download zone alarm and reinstall.
7. add software. (adobe, microsoft office etc.)
8. Install printer
10. Transfer files back on to PC from discs.
11 Go to Windows update and install Service packs as you may only have SP 1 on disk.


Go here to Michael Stevens
http://www.michaelstevenstech.com/cleanxpinstall.html#steps
See.
Prepping for a Clean install

Steps to Clean Install XP"

I like opera and firefox is also more secure than IE.
Link
http://www.bleepingcomputer.com/forums/topic4858.html/page__hl__best+browser

Consider using Sandboxie Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.

Ask about this in Networking if you don't already start an XP topic. I am NOT network guy.
Good luck talk to you on the clean machine.
The only reservations I have are getting back online, but i'm sure i'll remember how to do it, once I get there.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 DrProphet

DrProphet
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 23 July 2011 - 06:43 AM

Hi Boopme,


Sorry for the delayed reply. for some reason my pc wouldn't allow my replies to post. Such a pain. Anyway, just thought i'd let ya know i'm in the process of my clean install now, and i'll let ya know how I got on, so that this thread can be closed if required. See you on the other side :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users