Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by backdoor.


  • Please log in to reply
22 replies to this topic

#1 Allen

Allen

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:01:55 AM

Posted 04 September 2012 - 08:22 AM

So yeah I ran mbam after mse caught a backdoor I just ran mbam today and mse caught it 2 days ago and this is what mbam found
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.04.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
lakelands small engi :: FIREMASTER1337L [administrator]

04/09/2012 10:09:42 AM
mbam-log-2012-09-04 (10-09-42).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 225447
Time elapsed: 9 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\Software\DC3_FEXEC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Users\lakelands small engi\AppData\Roaming\dclogs (Stolen.Data) -> Quarantined and deleted successfully.

Files Detected: 2
C:\Users\lakelands small engi\AppData\Roaming\dclogs\2012-09-02-1.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\lakelands small engi\AppData\Roaming\dclogs\2012-09-04-3.dc (Stolen.Data) -> Quarantined and deleted successfully.

(end)
Hey everyone I'm Allen I am a young web developer/designer/programmer I also help people with computer issues including hardware problems, malware/viruses infections and software conflicts. I am a kind and easy to get along with person so if you need help feel free to ask.

BC AdBot (Login to Remove)

 


#2 Allen

Allen
  • Topic Starter

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:01:55 AM

Posted 04 September 2012 - 08:34 AM

Right now as we speak I am running a full scan and so far it picked up 1 virus
Hey everyone I'm Allen I am a young web developer/designer/programmer I also help people with computer issues including hardware problems, malware/viruses infections and software conflicts. I am a kind and easy to get along with person so if you need help feel free to ask.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,126 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:55 AM

Posted 04 September 2012 - 08:35 AM

Now rescan again with Malwarebytes Anti-Malware, but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally will prevent Malwarebytes from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.


Then try doing an online scan to see if it finds anything else that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.
  • If using Mozilla Firefox, you will be prompted to download and use the ESET Smart Installer. Just double-click on esetsmartinstaller_enu.exe to install.
  • Vista/Windows 7 users need to run Internet Explorer/Firefox as Administrator.
    To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser and allow the download/installation of any require files.
  • Under scan settings, check Posted Image and make sure that the option Remove found threats is NOT checked.
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click the Start button.
  • ESET will install itself, download virus signature database updates, and begin scanning your computer.
  • The scan can take some time to complete...close all programs and do NOT use the computer while the scan is running.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply. If no threats are found, there is no option to create a log.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Allen

Allen
  • Topic Starter

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:01:55 AM

Posted 04 September 2012 - 10:01 AM

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.04.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
lakelands small engi :: FIREMASTER1337L [administrator]

04/09/2012 10:22:56 AM
mbam-log-2012-09-04 (10-22-56).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 389298
Time elapsed: 1 hour(s), 34 minute(s), 34 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Program Files (x86)\Electronic Arts\The Sims 3\Game\Bin\The.Sims.3.Generic.NoDVD.Patcher.exe (PUP.Hacktool.Patcher) -> Quarantined and deleted successfully.

(end)


Hack tool is my nephew's fault he is so dead the next time I see him
Hey everyone I'm Allen I am a young web developer/designer/programmer I also help people with computer issues including hardware problems, malware/viruses infections and software conflicts. I am a kind and easy to get along with person so if you need help feel free to ask.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,126 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:55 AM

Posted 04 September 2012 - 10:18 AM

Hack tool is my nephew's fault he is so dead the next time I see him

It's not so much that this particular "Hack Tool" is the problem as it is going to sites which offer such tools. Visiting those types of is a security risk which can make your system susceptible to a smörgåsbord of malware infections, remote attacks, and exposure of personal information.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Allen

Allen
  • Topic Starter

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:01:55 AM

Posted 04 September 2012 - 10:20 AM

Quietman I know I don't go to these types of sites I checked my history and couldn't find anything so its more then likely that he cleared it
Hey everyone I'm Allen I am a young web developer/designer/programmer I also help people with computer issues including hardware problems, malware/viruses infections and software conflicts. I am a kind and easy to get along with person so if you need help feel free to ask.

#7 Allen

Allen
  • Topic Starter

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:01:55 AM

Posted 04 September 2012 - 11:16 AM

Scanning I accidently killed it the first time and now I'm running it again and it found 2 viruses so far while I was gone Update again for the second time I had to restart because I left remove found threats checked Update again its almost finished 7viruses so far

Edited by firemaster1337, 04 September 2012 - 12:38 PM.

Hey everyone I'm Allen I am a young web developer/designer/programmer I also help people with computer issues including hardware problems, malware/viruses infections and software conflicts. I am a kind and easy to get along with person so if you need help feel free to ask.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,126 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:55 AM

Posted 04 September 2012 - 12:24 PM

Ok.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Allen

Allen
  • Topic Starter

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:01:55 AM

Posted 04 September 2012 - 01:53 PM

The scan is done C:\Users\lakelands small engi\AppData\Roaming\Microsoft\twunk_16.exe Win32/Fynloski.AA trojan
C:\Users\lakelands small engi\Downloads\backup-9.3.2012_15-18-17_fireman9.tar.gz HTML/ScrInject.B.Gen virus
C:\Users\lakelands small engi\Downloads\backup-firemaster1337.co.cc-9-3-2012.tar.gz HTML/ScrInject.B.Gen virus
C:\Users\lakelands small engi\Downloads\Daemon tools pro advanced.rar Win32/OpenCandy application
C:\Users\lakelands small engi\Downloads\DAEMONToolsPro510-0333.exe Win32/OpenCandy application
C:\Users\lakelands small engi\Downloads\Daemon_Tools_Pro_5_by_Arphanet2012.rar Win32/OpenCandy application
C:\Users\lakelands small engi\Downloads\DTLite4454-0315.exe Win32/OpenCandy application
C:\Users\lakelands small engi\Downloads\ru-s3gnp.rar a variant of Win32/HackTool.Patcher.T application
C:\Users\lakelands small engi\Downloads\ubcd511.iso Win32/PSWTool.KonBoot.A application
C:\Users\lakelands small engi\SkyDrive\backup-9.3.2012_15-18-17_fireman9.tar.gz HTML/ScrInject.B.Gen virus
C:\Users\lakelands small engi\SkyDrive\backup-firemaster1337.co.cc-9-3-2012.tar.gz HTML/ScrInject.B.Gen virus
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\upgrade[1].cab multiple threats
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\upgrade[1].cab multiple threats
Operating memory a variant of Win32/Fynloski.AA trojan
Hey everyone I'm Allen I am a young web developer/designer/programmer I also help people with computer issues including hardware problems, malware/viruses infections and software conflicts. I am a kind and easy to get along with person so if you need help feel free to ask.

#10 Allen

Allen
  • Topic Starter

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:01:55 AM

Posted 04 September 2012 - 02:00 PM

The scrijnect files are from a backup from my site and I am contacting the owner of the host to find out whats going on
Hey everyone I'm Allen I am a young web developer/designer/programmer I also help people with computer issues including hardware problems, malware/viruses infections and software conflicts. I am a kind and easy to get along with person so if you need help feel free to ask.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,126 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:55 AM

Posted 04 September 2012 - 02:06 PM

If you recognize any of the detections as legitimate programs, it's possible they are "false positives" and you can ignore them or get a second opinion if you're not sure. Eset's detection rate is high and can include files which it considers suspicious, a risk tool, a potential unwanted program or another type of threat. That's why I didn't ask you to remove anything during the first scan until we could determine what it was going to detect.

If you're not sure or want a second opinion, submit the file(s) to one of the following online services that analyzes suspicious files:In the "File to Scan" (Upload or Submit) box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis. If you get a message saying "File has already been analyzed", click Reanalyze or Scan again.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,126 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:55 AM

Posted 04 September 2012 - 02:07 PM

OpenCandy is an advertising application distributed by the OpenCandy Software Network which displays ads in other programs. The use of advertisement is a way to promote software packages and recover development costs. The OpenCandy FAQs answers many questions users may have about this product.

OpenCandy is technically not installed on a computer, does not collect personally identifiable information and in most cases allows the user to choose whether or not to install advertised software recommended by the vendor. Although no personal information is collected, the software does collect anonymous statistics about events and other data during installation. See What information does OpenCandy collect?

This is what OpenCandy has to say about their product.

OpenCandy provides a plug-in that developers include in their software to earn money by showing recommendations for other software in their installers. Developers use this money to keep their software free and invest in further software development. The installer uses the OpenCandy plug-in to present a software recommendation...during installation. You have complete control to accept the software recommendation by selecting either the “Install” or “Do not install” options on the software recommendation screen.

What is OpenCandy?

The OpenCanday network has partnered with various popular and trusted software developers who bundle their product as part of the program's software installation package. A list of such developers can be found here. Some vendors will clearly advise the use of OpenCandy before downloading their software, while others may provide confusing or no information at all. An example would be SIW (System Information for Windows) which clearly indicates on their website the use of OpenCandy.

OpenCandy is an advertising application.

OpenCandy is similar to Google AdSense, except it displays advertisements in installation program instead of websites. These advertisements promote another software packages. The advertisements are selected by providers of software being installed. When user installing a software (SIW) chooses to install promoted package, revenue is generated and shared between OpenCandy and software providers (SIW developers).

SIW Home Edition is bundled with OpenCandy

OpenCandy is not a virus or malware. However, since it is responsible for displaying advertisements, it may be detected (and sometimes removed) by various anti-virus and other security scanning tools as a Potentially Unwanted Program (PUP) or Adware, pop-up ads, a classification that broadly defines the term as any software package which automatically displays advertisements in any form in order to generate revenue. For example, the Microsoft Malware Protection Center (MMPC) detects the program as Adware:Win32/OpenCandy, an adware program that might be bundled with other installers.

In response to this detection, OpenCandy has provided the following information:IMO, removal of OpenCandy detections is an optional choice. I have provided the information so you can make an informed decision as whether to remove it or not.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Allen

Allen
  • Topic Starter

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:01:55 AM

Posted 04 September 2012 - 02:10 PM

So what do I do now I mean it found some OS memory to have the trojan?
Hey everyone I'm Allen I am a young web developer/designer/programmer I also help people with computer issues including hardware problems, malware/viruses infections and software conflicts. I am a kind and easy to get along with person so if you need help feel free to ask.

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,126 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:55 AM

Posted 04 September 2012 - 02:18 PM

If you want to remove those detections, just rerun Eset Online Anti-virus Scanner again, but this time under scan settings, be sure to check the option to Remove found threats. Save the log as before and copy and paste the contents in your next reply.

Ignore anything you believe may be a false positive.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Allen

Allen
  • Topic Starter

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:01:55 AM

Posted 04 September 2012 - 02:21 PM

K this is gonna be a while
Hey everyone I'm Allen I am a young web developer/designer/programmer I also help people with computer issues including hardware problems, malware/viruses infections and software conflicts. I am a kind and easy to get along with person so if you need help feel free to ask.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users