Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

This PC infected?


  • Please log in to reply
1 reply to this topic

#1 WilliamJV

WilliamJV

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 24 December 2011 - 02:49 PM

Hello,

I am pretty sure the PC I am working on is still infected. A friend asked me to help fix this, but it has gone beyond my knowledge.
It is a Dell Inspiron 530 with Windows XP 64bit.

She noticed the anti-virus program had been out of date for some time. She installed Avast, ran a scan, cleaned files, then it BSOD. After a reboot it was unable to go into windows at all.
That is the point where I received it. I booted up with Ubuntu Live CD ran ClamTK cleaned 10 infected files, rebooted into windows repair mode, restored to a previous restore point.
Booted up into windows. Ran cClean, malware bytes, uninstalled Trend Micro Security suite which was not working.

Attempted to install MSE & AVG AntiVirus. Both tell me unable to access windows installer. The service is running and I attempted this fix by microsoft http://support.microsoft.com/kb/2642495

I even upgraded from Vista SP1 to Vista SP2 and still no success.

Any help would be much appreciated. I have already backed up all the files to an external drive. My next course of action if I cannot fix this is to run a complete restore from the dell partition.

Thanks,
Bill

Edit: I managed to run a quick scan on symantec's website and it looks like an infection on just the little bit I was able to scan. Here is a copy of the results, but any help on what I should do would be very helpful.

C:\Windows\Temp\ngehvn\setup.exe is infected with Suspicious.IRCBot
C:\Windows\SysWOW64\73j3FpS.com is infected with Suspicious.IRCBot
C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll is infected with Backdoor.Trojan
C:\Windows\system64\consrv.dll is infected with Trojan.Gen.2
C:\Windows\System32\73j3FpS.com is infected with Suspicious.IRCBot
C:\Windows\System32\FastUserSwitchingCompatibilityex.dll is infected with Backdoor.Trojan

Edited by WilliamJV, 24 December 2011 - 03:56 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:07 AM

Posted 25 December 2011 - 12:26 AM

Hello, something to consider first.
IMPORTANT NOTE: One or more of the identified infections is a backdoor Trojan. Backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker. Read Danger: Remote Access Trojans.

You should disconnect the computer from the Internet and from any networked computers until it is cleaned. If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.

Although the infection has been identified and may be removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users