Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor agent.


  • Please log in to reply
3 replies to this topic

#1 Fletcharmander

Fletcharmander

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 20 October 2011 - 12:50 PM

I seem to have a piece of spyware on my laptop i cannot get rid of.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Backdoor.Agent) -> Value: Shell

When I try to go on a website or click a link, the majority of the time my browser takes me to a random spam website, like jollysearchengine.com, so i believe this is what is causing it.

Usually Malware Bytes gets rid of everyting for me. But this thing just wont go away.

Here is my Malwarebytes Log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7984

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

20/10/2011 00:52:26
mbam-log-2011-10-20 (00-52-26).txt

Scan type: Quick scan
Objects scanned: 191968
Time elapsed: 6 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Backdoor.Agent) -> Value: Shell -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I found another thread on google about this same problem, and did the suggested of download SUPERantiSpyware. I done that and all suggested.

Here is my log from that:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/20/2011 at 01:38 PM

Application Version : 5.0.1134

Core Rules Database Version : 7824
Trace Rules Database Version: 5636

Scan type : Complete Scan
Total Scan Time : 01:38:51

Operating System Information
Windows 7 Home Premium 64-bit (Build 6.01.7600)
UAC On - Limited User

Memory items scanned : 694
Memory threats detected : 0
Registry items scanned : 72611
Registry threats detected : 0
File items scanned : 107714
File threats detected : 144

Adware.Tracking Cookie
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\76K8911F.txt [ /247realmedia.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\FTTGJR4S.txt [ /imrworldwide.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\L74WAKNK.txt [ /tradedoubler.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\1L16TF29.txt [ /doubleclick.net ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\53VALAGW.txt [ /kontera.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\6B2C4G5S.txt [ /ad.zanox.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\UN2YB6XU.txt [ /adxpose.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\3RBMT4FW.txt [ /eas8.emediate.eu ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\X75SQ28I.txt [ /ads.creafi.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\037F0Z63.txt [ /fidelity.rotator.hadj7.adjuggler.net ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\1BV32LFM.txt [ /ru4.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\7TEX5AGZ.txt [ /ads.gamersmedia.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\P5J784DB.txt [ /weborama.fr ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\AS11FOV3.txt [ /atdmt.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\7S86K1WI.txt [ /adviva.net ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\S5GS889H.txt [ /invitemedia.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\5EIRN1Z4.txt [ /zanox.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\9ZDWA5YF.txt [ /indieclick.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\6DMK5QOT.txt [ /yieldmanager.net ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\QNRX2H3Z.txt [ /zedo.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\O1HMINUJ.txt [ /advertising.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\4TOCBULN.txt [ /ad.360yield.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\7RDHBJRA.txt [ /mediaplex.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\3K5MIZXB.txt [ /ads.pubmatic.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\HDSPJYW0.txt [ /serving-sys.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\M16Z5BQ4.txt [ /pro-market.net ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\1WFMWC06.txt [ /adbrite.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\U5TB16CF.txt [ /media6degrees.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\4O834I9A.txt [ /ad.yieldmanager.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\VS2ECFUC.txt [ /c.gigcount.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\W70VA3C2.txt [ /trafficno.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\5B66508G.txt [ /revsci.net ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\4HSGFUYH.txt [ /adform.net ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\UPMAF57R.txt [ /baa.solution.weborama.fr ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\62GYKR97.txt [ /tribalfusion.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\DA9IC983.txt [ /statcounter.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\T5H8CWL9.txt [ /eas.apm.emediate.eu ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\9XGBF44Z.txt [ /adfarm1.adition.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\74V4EQ4V.txt [ /search.clicksfind.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\DHI79DPI.txt [ /casalemedia.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\ME5P44JH.txt [ /bs.serving-sys.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\FXZD2WS1.txt [ /collective-media.net ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\A7FA24VV.txt [ /specificclick.net ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\XVASW16F.txt [ /optimize.indieclick.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\S5VCEOU1.txt [ /fastclick.net ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\S3KM7H1H.txt [ /apmebf.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\W83ICUVR.txt [ /track.adform.net ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\ZUCHLW4M.txt [ /advertise.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\89E8LHFG.txt [ /eas4.emediate.eu ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\8UNUCUN3.txt [ /2o7.net ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\XW0XYKY3.txt [ /ad2.adfarm1.adition.com ]
C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Cookies\0DY9POCC.txt [ /adtech.de ]
C:\USERS\HANNAH\AppData\Roaming\Microsoft\Windows\Cookies\Low\hannah@doubleclick[2].txt [ Cookie:hannah@doubleclick.net/ ]
C:\USERS\HANNAH\AppData\Roaming\Microsoft\Windows\Cookies\Low\hannah@atdmt[2].txt [ Cookie:hannah@atdmt.com/ ]
C:\USERS\HANNAH\AppData\Roaming\Microsoft\Windows\Cookies\Low\hannah@apmebf[2].txt [ Cookie:hannah@apmebf.com/ ]
C:\USERS\HANNAH\AppData\Roaming\Microsoft\Windows\Cookies\Low\hannah@adbrite[1].txt [ Cookie:hannah@adbrite.com/ ]
C:\USERS\HANNAH\AppData\Roaming\Microsoft\Windows\Cookies\Low\hannah@adviva[1].txt [ Cookie:hannah@adviva.net/ ]
C:\USERS\HANNAH\AppData\Roaming\Microsoft\Windows\Cookies\Low\hannah@yieldmanager[1].txt [ Cookie:hannah@yieldmanager.net/ ]
C:\USERS\HANNAH\AppData\Roaming\Microsoft\Windows\Cookies\Low\hannah@tribalfusion[1].txt [ Cookie:hannah@tribalfusion.com/ ]
C:\USERS\HANNAH\AppData\Roaming\Microsoft\Windows\Cookies\Low\hannah@invitemedia[2].txt [ Cookie:hannah@invitemedia.com/ ]
C:\USERS\HANNAH\AppData\Roaming\Microsoft\Windows\Cookies\Low\hannah@microsoftinternetexplorer.112.2o7[1].txt [ Cookie:hannah@microsoftinternetexplorer.112.2o7.net/ ]
C:\USERS\HANNAH\AppData\Roaming\Microsoft\Windows\Cookies\Low\hannah@specificclick[1].txt [ Cookie:hannah@specificclick.net/ ]
C:\USERS\HANNAH\AppData\Roaming\Microsoft\Windows\Cookies\Low\hannah@statcounter[1].txt [ Cookie:hannah@statcounter.com/ ]
C:\USERS\LEWIS\AppData\Roaming\Microsoft\Windows\Cookies\WZKXWS7B.txt [ Cookie:lewis@adsonar.com/adserving ]
C:\USERS\LEWIS\AppData\Roaming\Microsoft\Windows\Cookies\Low\BH2G8HIG.txt [ Cookie:lewis@members.pornpros.com/ ]
C:\USERS\LEWIS\AppData\Roaming\Microsoft\Windows\Cookies\Low\GDYJPDT3.txt [ Cookie:lewis@atdmt.com/ ]
C:\USERS\LEWIS\AppData\Roaming\Microsoft\Windows\Cookies\Low\RX746LGF.txt [ Cookie:lewis@adbrite.com/ ]
C:\USERS\LEWIS\AppData\Roaming\Microsoft\Windows\Cookies\Low\2YDDKAP9.txt [ Cookie:lewis@pro-market.net/ ]
C:\USERS\LEWIS\AppData\Roaming\Microsoft\Windows\Cookies\Low\9Y0KECCD.txt [ Cookie:lewis@media6degrees.com/ ]
C:\USERS\LEWIS\AppData\Roaming\Microsoft\Windows\Cookies\Low\8SKFO62W.txt [ Cookie:lewis@adultfriendfinder.com/ ]
C:\USERS\LEWIS\AppData\Roaming\Microsoft\Windows\Cookies\Low\R44C26FB.txt [ Cookie:lewis@adserver2.exgfnetwork.com/ ]
C:\USERS\LEWIS\AppData\Roaming\Microsoft\Windows\Cookies\Low\DWJXHDHK.txt [ Cookie:lewis@pornpros.com/ ]
C:\USERS\LEWIS\Cookies\76K8911F.txt [ Cookie:lewis@247realmedia.com/ ]
C:\USERS\LEWIS\Cookies\L74WAKNK.txt [ Cookie:lewis@tradedoubler.com/ ]
C:\USERS\LEWIS\Cookies\1L16TF29.txt [ Cookie:lewis@doubleclick.net/ ]
C:\USERS\LEWIS\Cookies\53VALAGW.txt [ Cookie:lewis@kontera.com/ ]
C:\USERS\LEWIS\Cookies\UN2YB6XU.txt [ Cookie:lewis@adxpose.com/ ]
C:\USERS\LEWIS\Cookies\3RBMT4FW.txt [ Cookie:lewis@eas8.emediate.eu/ ]
C:\USERS\LEWIS\Cookies\1BV32LFM.txt [ Cookie:lewis@ru4.com/ ]
C:\USERS\LEWIS\Cookies\7TEX5AGZ.txt [ Cookie:lewis@ads.gamersmedia.com/ ]
C:\USERS\LEWIS\Cookies\P5J784DB.txt [ Cookie:lewis@weborama.fr/ ]
C:\USERS\LEWIS\Cookies\AS11FOV3.txt [ Cookie:lewis@atdmt.com/ ]
C:\USERS\LEWIS\Cookies\7S86K1WI.txt [ Cookie:lewis@adviva.net/ ]
C:\USERS\LEWIS\Cookies\S5GS889H.txt [ Cookie:lewis@invitemedia.com/ ]
C:\USERS\LEWIS\Cookies\QNRX2H3Z.txt [ Cookie:lewis@zedo.com/ ]
C:\USERS\LEWIS\Cookies\O1HMINUJ.txt [ Cookie:lewis@advertising.com/ ]
C:\USERS\LEWIS\Cookies\HDSPJYW0.txt [ Cookie:lewis@serving-sys.com/ ]
C:\USERS\LEWIS\Cookies\M16Z5BQ4.txt [ Cookie:lewis@pro-market.net/ ]
C:\USERS\LEWIS\Cookies\1WFMWC06.txt [ Cookie:lewis@adbrite.com/ ]
C:\USERS\LEWIS\Cookies\U5TB16CF.txt [ Cookie:lewis@media6degrees.com/ ]
C:\USERS\LEWIS\Cookies\4O834I9A.txt [ Cookie:lewis@ad.yieldmanager.com/ ]
C:\USERS\LEWIS\Cookies\W70VA3C2.txt [ Cookie:lewis@trafficno.com/ ]
C:\USERS\LEWIS\Cookies\UPMAF57R.txt [ Cookie:lewis@baa.solution.weborama.fr/ ]
C:\USERS\LEWIS\Cookies\62GYKR97.txt [ Cookie:lewis@tribalfusion.com/ ]
C:\USERS\LEWIS\Cookies\9XGBF44Z.txt [ Cookie:lewis@adfarm1.adition.com/ ]
C:\USERS\LEWIS\Cookies\74V4EQ4V.txt [ Cookie:lewis@search.clicksfind.com/ ]
C:\USERS\LEWIS\Cookies\DHI79DPI.txt [ Cookie:lewis@casalemedia.com/ ]
C:\USERS\LEWIS\Cookies\ME5P44JH.txt [ Cookie:lewis@bs.serving-sys.com/ ]
C:\USERS\LEWIS\Cookies\FXZD2WS1.txt [ Cookie:lewis@collective-media.net/ ]
C:\USERS\LEWIS\Cookies\A7FA24VV.txt [ Cookie:lewis@specificclick.net/ ]
C:\USERS\LEWIS\Cookies\XVASW16F.txt [ Cookie:lewis@optimize.indieclick.com/ ]
C:\USERS\LEWIS\Cookies\S3KM7H1H.txt [ Cookie:lewis@apmebf.com/ ]
C:\USERS\LEWIS\Cookies\W83ICUVR.txt [ Cookie:lewis@track.adform.net/ ]
C:\USERS\LEWIS\Cookies\ZUCHLW4M.txt [ Cookie:lewis@advertise.com/ ]
C:\USERS\LEWIS\Cookies\89E8LHFG.txt [ Cookie:lewis@eas4.emediate.eu/ ]
C:\USERS\LEWIS\Cookies\8UNUCUN3.txt [ Cookie:lewis@2o7.net/ ]
C:\USERS\LEWIS\Cookies\XW0XYKY3.txt [ Cookie:lewis@ad2.adfarm1.adition.com/ ]
C:\USERS\LEWIS\Cookies\0DY9POCC.txt [ Cookie:lewis@adtech.de/ ]
C:\USERS\LEWIS\Cookies\WZKXWS7B.txt [ Cookie:lewis@adsonar.com/adserving ]
ec.atdmt.com [ C:\USERS\HANNAH\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\MQNAWBVK ]
ia.media-imdb.com [ C:\USERS\HANNAH\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\MQNAWBVK ]
spe.atdmt.com [ C:\USERS\HANNAH\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\MQNAWBVK ]
C:\USERS\HANNAH\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\HANNAH@COUNTERS.GIGYA[1].TXT [ /COUNTERS.GIGYA ]
cdn1.image.freeporn.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
cdn1.static.pornhub.phncdn.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
cdn2.invitemedia.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
classic.pornpros.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
content.yieldmanager.edgesuite.net [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
ec.atdmt.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
files.youporn.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
ia.media-imdb.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
media.ign.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
media.rockstargames.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
media.screened.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
media1.shopto.net [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
media2.shopto.net [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
members.allrealitypass.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
members.pornpros.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
mytubeporn.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
playah.itsyourporn.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
s0.2mdn.net [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
secure-uk.imrworldwide.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
secure-us.imrworldwide.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
serving-sys.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
spe.atdmt.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
stat.easydate.biz [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
track.webgains.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
www.99counters.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
www.naiadsystems.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
www.pornhub.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
www.pornpros.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
www.pornstarclub.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
www.realgfporn.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]
wwwstatic.megaporn.com [ C:\USERS\LEWIS\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3TBRATRS ]



The thread i seen then advised to DL and run Gmer. I did that and here is my log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-20 18:30:31
Windows 6.1.7600
Running: 740l57i2.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00271361f569
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002713787284
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00271378e2dc
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00271361f569 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002713787284 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00271378e2dc (not active ControlSet)

---- EOF - GMER 1.0.15 ----


All that done. But this Backdoor agent guy just wont go away!!



What should i do next?
thanks


EDIT: i apologies as i may of put this in the wrong section, sorry.

Edited by hamluis, 20 October 2011 - 01:56 PM.
Moved from Win 7 to Am I Infected.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:28 PM

Posted 20 October 2011 - 02:29 PM

Hello, I feel it's important that you consider this first.
.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Fletcharmander

Fletcharmander
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 20 October 2011 - 02:48 PM

Thanks for teh reply.

I don't have a lot of stuff on this machine so a re-format would not be a big problem for me, especially if it is teh safest thing to do!

Whats the best way about going to refomat it then? My OS is windows 7.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:28 PM

Posted 20 October 2011 - 03:28 PM

That is the choice I'd have mage too.
Caution: If you are considering backing up data and reformatting, keep in mind, with a Virut infection, there is always a chance of backed up data reinfecting your system. If the data is that important to you, then you can try to salvage some of it but there is no guarantee so be forewarned that you may have to start over again afterwards if reinfected by attempting to recover your data. Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users