Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dusvext.B and friends


  • Please log in to reply
8 replies to this topic

#1 CBW

CBW

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 18 August 2011 - 06:35 PM

Hi there. A friend recommended I check out this site with a problem I had recently, apparently you guys helped him out quite a bit.

I'm not the most tech savvy person, but I get around, I'm not a grandmother.

I somehow managed to get something kinda nasty on my PC last night. Dusvext.B was the first thing I saw. MSE cleaned it right away and I thought that was the end of it. But a few hours later, I got an email from steam saying I was trying to activate steam on a different pc and all that. So, well, I have a keylogger. Fun. I start trying to run MSE again, but when I open it, my mouse moved on its own, closed out MSE and ended the program entirely. Freaked me out, honestly. But after some fooling around I got MSE up and working and it removed a bunch of stuff. Here's a screenshot of the MSE history.

http://img153.imageshack.us/img153/4046/swdfsdaf.png

Thats alot of stuff. I'm currently working on getting my steam account back, and until then I'm afraid of logging into anything else that might be stolen. I booted in safe mode, ran scans with several different antivirus programs, ran highjack this and examined that and did research on things it showed (I know I can't post logs here). I've done more scans in safe mode and just booted normally today, and it's come up clean. But I'm worried it's hiding out somewhere. I don't wanna think its gone and it steal some other password. What else can I do to be sure this thing is gone? I appreciate any responses and help.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:49 PM

Posted 18 August 2011 - 09:19 PM

Hello, lets run 2 more tools please and review these logs.
PWS:Win32/Fignotok.A is a trojan that steals user names and passwords from particular applications, including from Instant Messaging (IM) programs.
And any of the following applications:
DynDns
FileZilla
Firefox
Google Talk
Internet Explorer
No-IP Dynamic Update Client (DUC)
Pidgin Instant Messenger
Steam
Trillian

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 CBW

CBW
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 18 August 2011 - 10:05 PM

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7504

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

8/18/2011 9:41:08 PM
mbam-log-2011-08-18 (21-41-08).txt

Scan type: Quick scan
Objects scanned: 170075
Time elapsed: 2 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{CEFBB580-BBFA-C97D-0BC6-F1C0EAFBAEED} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{CEFBB580-BBFA-C97D-0BC6-F1C0EAFBAEED} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft (Backdoor.Bot) -> Value: Microsoft -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender (Trojan.Agent) -> Value: Windows Defender -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows (Trojan.Agent) -> Value: Windows -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Chris\AppData\Local\Temp\syshost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\Users\Chris\AppData\Local\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Chris\AppData\Local\Temp\xcoca.ine (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Chris\AppData\Local\Temp\win.exe (Trojan.Agent) -> Quarantined and deleted successfully.



Shows them in the quarantine still. Should I delete them or are they fine?


And ESET online scanner returned no results.

Woops. My fault. Looks like ESET has picked something up. It sat at 99% for a bit and I assumed it was almost done. I left and came back 40 minutes later and its still going. Ill edit in results whenever it decides to finish.

and here is the eset log


C:\Users\Chris\Documents\winamp5572_full_emusic-7plus_en-us.exe Win32/OpenCandy application deleted - quarantined

Edited by CBW, 18 August 2011 - 11:08 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:49 PM

Posted 19 August 2011 - 09:48 AM

Hello, well yes you can delete them. If you use this machine for any financials,you should consider a reformat.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall


To continue cleaning.. we nrrd to look for rootkits,

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 CBW

CBW
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 19 August 2011 - 01:34 PM

Hm, well I ran that as instructed and it didn't find anything.

I can certainly reformat if necessary, but I just have alot of stuff I'd like to keep. Would it be safe to move things to an external hard drive before I reformat? I'd have to go get one of course, but I've been looking for an excuse to buy one.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:49 PM

Posted 19 August 2011 - 02:07 PM

Let me post this from our Quietman7...
Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 CBW

CBW
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 19 August 2011 - 02:28 PM

Hm, I see. Well thanks for your help. I'll probably just go with the external hard drive. I won't be using any of those files listed, most of them are movie files. There's just way too much to send to discs. It would take an entire spindle most likely. I appreciate the help. Hate that theres stuff out there that causes people so much trouble like this.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:49 PM

Posted 19 August 2011 - 02:36 PM

Not an unwise decision to make. once you have everything on the other deveice then scan that. Use your AV,MBAM in FULL scan Mode and the ESET scanner.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 CBW

CBW
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 19 August 2011 - 04:20 PM

Thanks, I'll do that.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users