Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Downloaded an unsafe exe file and contracted a virus


  • This topic is locked This topic is locked
5 replies to this topic

#1 billycuth

billycuth

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 11 September 2011 - 07:50 AM

Hi everyone. New to the forums (although I have come here for help plenty of times). I have already broken the rule of not using combofix before being told to use it because I did a google search on my problem and it was recommended for each of the people who had similar problems (and I didn't realize I wasn't supposed to do it without supervision). I will give a summary of how this started, what I have done to fix it so far, and where things stand.

I have a Dell Latitude E6500 with windows XP pro, SP3. This is a work computer, and the hard drive is encrypted using safeguard easy 4.3. It has some proprietary software that is only compatible with certain versions of "off the shelf" software. One of the programs we need is Adobe Reader 9.1. As you know, 9.1 is an old version of adobe, but no other version will work with our proprietary software and of course our corporate office likes to make things difficult. So after a google search for 9.1, I attempted the download here: affenknecht.com/temp/files/download-adobe-reader-91.php

That site is where I contracted the virus that I now have. Our virus scan software is required and controlled by our corporate office (but they do not help us clean infected PCs). We run Symantec Endpoint Protection. I also run Immunet 3.0, Secunia PSI and Malwarebytes if I suspect infections or if software needs to be updated (I can update some software on my own without creating conflicts, but not adobe reader).

So after contracting the virus, I immediately noticed that Symantec Endpoint Protection was being blocked. I could not run scans through it, Immunet or Malwarebytes. Immunet would open, but scanning was disabled (greyed out). Malwarebytes opened at first, but my definitions were out of date. When I tried to update the definitions, I got an error and was asked to call support to correct. I closed the program out and then when I would try to run from the start menu, it simply gave me the error that the path of the program was not valid (I checked program files and it was still there, so clearly this was the virus at work - I couldn't even open the program from the root directory). I was still able to connect to the internet, so I downloaded super-anti-spyware, loaded it and ran it (it was allowed to run). It found 517 tracking cookies and erased them all, but no viruses. Malwarebytes still couldn't run so I got the brilliant idea to re-download and install it. That worked. I was able to update definitions to the most recent and run a full scan. It found 17 or so random tracking cookies and 2 trojan horses - Backdoor.0access and Trojan.Agent

Malwarebytes said it cleaned them and deleted the files, but my virus scanners still will not work. I ran SAS again and Malwarebytes a few more times, and came up empty. That's when I decided through websearch and forum posts here to go the ComboFix route. I know it could potentially render my pc unusable and luckily I am backed up, but my PC is not simple to reload with software. If this was my home PC, I would format the drive and start over and not waste my time chasing unicorns. But this PC takes a week or so to bring back to life because of all the proprietary software that has to be tunneled into it through our corporate VPN.

So I ran combofix, but it did not run correctly. I kept getting several errors as it proceeded, including that windows could not find NIRCMD, NIRKMD, NIRCMDB.exe and the screen that said that windows needed to close the process down. It rebooted twice, and ran through all 50 stages (each time giving me the NIRKMD message) and is now on the "COMBOFIX - FIND3M" box. I think that takes me to where I am. I am posting this on another PC while the infected PC continues to run COMBOFIX. It hasn't gotten to any kind of log screen yet. If it does I can post it upon request. I am just wondering if there is any hope whatsoever.

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:06:00 PM

Posted 11 September 2011 - 12:27 PM

With the information you have provided I believe you will need help from the malware removal team.
Please make sure that you read the information about getting started first.
Then start a new thread HERE and include or required logs.
Including a link to this thread will be helpful.

Good luck and be patient. Help is on the way!

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 billycuth

billycuth
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 11 September 2011 - 01:20 PM

new thread with logs can be found here:

http://www.bleepingcomputer.com/forums/topic418483.html

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:06:00 PM

Posted 11 September 2011 - 01:59 PM

Thank you :)

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#5 billycuth

billycuth
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 11 September 2011 - 02:45 PM

thank you, actually :)

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,062 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:00 PM

Posted 11 September 2011 - 03:18 PM

Hello,

Now for the hard and frustrating part: waiting.

Now that you have posted a log, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users