Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A few "high risk" trojans malwarebytes won't pick up


  • Please log in to reply
8 replies to this topic

#1 04bluer6

04bluer6

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 15 March 2012 - 06:47 PM

Ok, I've browsed this forum enough as a guest and decided to register seeing how this is the first time I wasn't able to find any info anywhere online on the few viruses I have.

System: Windows Vista home premium service pack 2 32 bit

My computer got incredibly slow lately so I ran Avast and malwarebytes and neither picked up anything. So I decided to boot in safe mode and run stop sign free version just to see if it would pick anything up. Here is what it says I have:

Full Virus Scan Details:

Backdoor.Win32.Hupigon.nqui: Virus
c:\users\drew\desktop\iexplore.exe is Infected.

Trojan-Proxy.Win32.Fackemo.v: Virus
c:\windows\temp\tmp000000049c5ec329b6e04370 is Infected.

Trojan-Spy.Win32.Zbot.bzzg: Virus
c:\program files\microsoft works\wksss.exe is Infected.
c:\swsetup\msworks\us\pfiles\msworks\wksss.exe is Infected.

Trojan.Win32.Genome.ujda: Virus
c:\program files\online services\ebay\wizlink.exe is Infected.
c:\hp\hpqware\wc\en_ca\wildtangent\wizlink.exe is Infected.
c:\hp\hpqware\wc\en_us\wildtangent\wizlink.exe is Infected.

Spyware:

AdServer Cookie: Spyware Cookie
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@adserv01[1].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@adserver.adtechus[2].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@adserver.adtechus[3].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@adserver.adtechus[4].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@adserver.adtechus[5].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@adserver.easyad[1].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@adserving.autotrader[1].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@adserving.autotrader[2].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@adserving.autotrader[3].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@imt-adserver[1].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@www.googleadservices[1].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@www.googleadservices[2].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@www.googleadservices[3].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@www.googleadservices[4].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@www.googleadservices[5].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@adserver.adtechus[1].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@adserver.adtechus[3].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@adserver.adtechus[4].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@adserver.hardsextube[2].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@adserver.hardsextube[3].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@adserving.autotrader[1].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@adserving.autotrader[2].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@adserving.autotrader[3].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@adserving.ezanga[2].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@smartadserver[2].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@www.googleadservices[1].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@www.googleadservices[2].txt is Infected.

Bluestreak Cookie: Spyware Cookie
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@bluestreak[1].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@bluestreak[2].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@bluestreak[3].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@bluestreak[1].txt is Infected.

CoreMetrics Cookie: Spyware Cookie
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@data.coremetrics[1].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@data.coremetrics[2].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@data.coremetrics[3].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@test.coremetrics[1].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@test.coremetrics[2].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@test.coremetrics[4].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@data.coremetrics[1].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@data.coremetrics[2].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@testdata.coremetrics[1].txt is Infected.

FastClick Cookie: Spyware Cookie
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@fastclick[1].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@fastclick[2].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@fastclick[4].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@fastclick[1].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@fastclick[2].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@fastclick[3].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@fastclick[4].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@fastclick[5].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@fastclick[6].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@fastclick[7].txt is Infected.

MediaPlex Cookie: Spyware Cookie
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@mediaplex[1].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@mediaplex[2].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@mediaplex[3].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@mediaplex[5].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@mediaplex[2].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@mediaplex[3].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@mediaplex[4].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@mediaplex[5].txt is Infected.
TradeDoubler Cookie: Spyware Cookie
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@tradedoubler[1].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@tradedoubler[3].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@tradedoubler[4].txt is Infected.

WebtrendsLive Cookie: Spyware Cookie
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@m.webtrends[1].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@m.webtrends[2].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@statse.webtrendslive[1].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@statse.webtrendslive[2].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@statse.webtrendslive[3].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@webtrends.chase[1].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@webtrends.chase[2].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@webtrends.chase[4].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\Low\drew@webtrends.reynoldswebsolutions[1].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@m.webtrends[2].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@statse.webtrendslive[1].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@statse.webtrendslive[3].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@webtrends.chase[1].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@webtrends.chase[2].txt is Infected.
C:\Users\Drew\AppData\Roaming\Microsoft\Windows\Cookies\drew@webtrends.chase[3].txt is Infected.
C:\Users\Drew\AppData\

I tried booting in safe mode and updating avast and malwarebytes, and they still didn't pick them up. So I ran Rkill (I got it from this site a while back and it was succesful in removing other viruses) and tried again and same result. I'm kinda lost now as I'd rather not spend the $30 on a program unless I really need to.

If any other info is needed...please let me know! Thanks in advance for any help!

Edited by 04bluer6, 15 March 2012 - 06:49 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:34 AM

Posted 15 March 2012 - 07:09 PM

Hello you have Backdoors and info stealers,eg Win32.Hupigon.nqui
TrojanDropper:Win32/Hupigon may also install PWS:Win32/Hupigon. This DLL is a plugin that logs keystrokes and steals passwords. PWS:Win32/Hupigon tries to capture Windows logon credentials and may also try to capture other user data. It too is injected into other processes by TrojanDropper:Win32/Hupigon using CreateRemoteThread.

.Win32.Zbot.bzzg The trojan collects FTP credentials (IP, port, user name, and passwords) from the following FTP software:

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fZbot


So I want to say this first...
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 04bluer6

04bluer6
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 15 March 2012 - 07:23 PM

I have thought about wiping and starting clean, I actually almost started that tonight. I may still do that. I didn't want to lose all of the stuff on my computer but if it comes down to it, I guess I'd have to.

#4 04bluer6

04bluer6
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 15 March 2012 - 07:27 PM

What is the best way to back up files without possibly backing up one of the viruses?

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:34 AM

Posted 15 March 2012 - 07:38 PM

Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.

Edited by boopme, 15 March 2012 - 07:39 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 04bluer6

04bluer6
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 15 March 2012 - 08:54 PM

Thanks much for the help. Guess I'll start with wiping it this weekend.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:34 AM

Posted 15 March 2012 - 09:57 PM

You're welcome. It's not what we wanted but it's the safest choice with all the ID thefy out there. It's what I'd have done.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 04bluer6

04bluer6
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 20 March 2012 - 05:27 PM

Since safe mode doesn't load the drivers for the cd drive/ burner, how can I put the files on the cd? Boot it up normally?

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:34 AM

Posted 20 March 2012 - 08:24 PM

I wasn't aware you only had safe mode.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.[list]
[*]How and Where to backup your files in XP or Vista
Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.


Edited by boopme, 20 March 2012 - 08:26 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users