Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Detecting Malware


  • Please log in to reply
5 replies to this topic

#1 Deku

Deku

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 15 September 2012 - 09:00 AM

Hey all, new user here. Problem is as follows:

Downloaded a suspicious program and ran it.
Program turns out to be malware, turns on my webcam, opens up a screamer picture on my default browser.
I go and disable the webcam through the devices window.
When I go to an IRC channel for help, the malware alters my text and keeps me from typing legible words (Except in one instance where I typed "Fu" and it used that to write "bleep gay".
Disconnected from the wireless internet, didn't notice anymore text alteration, but I also hadn't typed after that, so it's possible that it would have kept doing so had I tried typing something.
Restarted computer instead of shutting it down on accident. During the boot, I used a hard shut down.
Booted up again in normal mode, used msconfig to make the computer restart into safe mode.
Downloaded both Malwarebytes and TDSSkiller.
Used Malwarebytes Quick scan.
Used TDSSkiller scan.
Used Malwarebytes full scan.

I use Microsoft security essentials as my antivirus, if that's important. I found 12 infected files as a result of all three scans, but I'm not sure whether I've purged the malware or if it's got some hidden file somewhere. My question is, if I do still have malware, how do I find it?

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,324 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:32 PM

Posted 15 September 2012 - 09:24 AM

It would help if you would post the MBAM logs and TDSSkiller log.

What "suspicious" program did you download, run and from what website?

Have you uninstalled the "suspicious" program?
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 Deku

Deku
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 15 September 2012 - 12:49 PM

The file: http://www.mediafire.com/?53mmn185abjsh5a

MB Log 1:


Malwarebytes Anti-Malware (Trial) 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.15.01

Windows 7 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Me :: MY-PC [administrator]

Protection: Disabled

9/15/2012 1:45:38 AM
mbam-log-2012-09-15 (01-45-38).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 208121
Time elapsed: 6 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCU\Software\DC3_FEXEC (Malware.Trace) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\INSTALLEDBROWSEREXTENSIONS\215 APPS (PUP.CrossFire.SA) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\Software\InstalledBrowserExtensions\215 Apps|4352 (PUP.CrossFire.SA) -> Data: CouponDropDown -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Users\Me\AppData\Roaming\dclogs (Stolen.Data) -> Quarantined and deleted successfully.

Files Detected: 3
C:\Users\Me\AppData\Local\Temp\CouponDropDown.exe (Adware.GamePlayLabs) -> Quarantined and deleted successfully.
C:\Users\Me\Downloads\HomeworldTrainer.exe (HackTool.GamesCheat.Gen) -> Quarantined and deleted successfully.
C:\Users\Me\AppData\Roaming\dclogs\2012-09-15-7.dc (Stolen.Data) -> Quarantined and deleted successfully.

(end)

MB log 2:


Malwarebytes Anti-Malware (Trial) 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.15.01

Windows 7 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Me :: MY-PC [administrator]

Protection: Disabled

9/15/2012 2:20:14 AM
mbam-log-2012-09-15 (02-20-14).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 622415
Time elapsed: 1 hour(s), 59 minute(s), 59 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CouponDropDown (Adware.GamePlayLabs) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Program Files (x86)\CouponDropDown\Uninstall.exe (Adware.GamePlayLabs) -> Quarantined and deleted successfully.
C:\Users\Me\AppData\Local\Temp\~nsu.tmp\Au_.exe (Adware.GamePlayLabs) -> Quarantined and deleted successfully.

(end)

I don't know where the TDSSkiller logs are. I've already uninstalled the program.

Edited by Deku, 15 September 2012 - 12:50 PM.


#4 buddy215

buddy215

  • Moderator
  • 13,324 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:32 PM

Posted 15 September 2012 - 02:19 PM

Check all of your browsers' addons/ extensions/ plugins for any unknown listing such as
Babylon.

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic



“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 Deku

Deku
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 17 September 2012 - 07:36 PM

The log wasn't there after the scan.

#6 buddy215

buddy215

  • Moderator
  • 13,324 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:32 PM

Posted 17 September 2012 - 08:29 PM

Did you see this in the instructions for Eset?
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic



“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users