Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Scan Shows: Win32.NimdaA Backdoor.Bot WormGeneric IRC-WormRandonT Appli


  • Please log in to reply
24 replies to this topic

#1 godivarides

godivarides

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 23 October 2013 - 11:51 AM

I have a less than year old notebook that behaves slower than my very old desk top.  Even after its check up, it remains very slow with weird software issues.  I have run a variety of malware programs but they report nothing significant.

 

MSI GT60

12 G Ram DDRII

i7-3610QM

1 T hdd - with virtually nothing on it as all my info remains on an external drive and USB

Win7 Home Premium

Wireless WiFi

 

2 days ago my system slowed to freeze, forced a reboot, which resulted in:

 

first reboot - 99 in the lower right corner

second reboot - B4 - same as above

third reboot - selected System Restore

 

I lost some material, but all my docs are saved on a USB or external drive.

 

Suddenly, my system was lightning fast - then it has slowed again.

 

After the restore, I loaded EMSISOFT Emergency Kit - scans for infections.  Initially there were only the PUP files, but today before finishing the scan it has found:

 

Win32.NimdaA@mm(B)

Backdoor.Bot156396 (B)

WormGeneric.22916 (B)

IRC-Worm.RandonT.(B)

ApplicationHideWindow.B (B)

 

Please guide to remove these.

 

Thank you

 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,916 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:29 PM

Posted 23 October 2013 - 12:30 PM

You can perform a scan with Emsisoft Web Malware Scanner which contains the same dual-engine scanner features of Emsisoft Anti-Malware to include cleaning and quarantine.
-- Vista/Windows 7/8 users need to run Internet Explorer as Administrator. To do this, right-click on the Internet Explorer icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.

Note: This scanner is based on ActiveX technology and only supports Internet Explorer with ActiveX enabled to run correctly.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 godivarides

godivarides
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 23 October 2013 - 02:41 PM

Hello Global Moderator - quietman7 - with a powerful program!

 

Thank you for your recommendation, I did as instructed in IE as Administrator.

 

The results of the DEEP SYSTEM SCAN just came in - NO MALWARE!!

 

Thank you for your suggestion.  Any others to remain virus free?


Edited by godivarides, 23 October 2013 - 03:25 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,916 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:29 PM

Posted 23 October 2013 - 03:24 PM

You said you already ran a variety. What have you used? There is no sense in telling you to do something if you have already done it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 godivarides

godivarides
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 23 October 2013 - 04:56 PM

Understood.

 

I regularly run:

1. SuperAntiSpyware which has found PUPS and removed

2. Malwarebytes which hasn't found anything.

 

Yesterday when my System Restored it was running lightning fast - so I immediately ran both and found nothing.

 

Searched on CNET and found the EMSISOFT Emergency Kit which after a few scans found the above issues and once again the computer turned into its lightning fast speed.

 

Ran it and removed them.

 

Then your recommendation above.

 

Wanting to keep my system virus free - what else should I run?

 

Thanks in advance!



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,916 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:29 PM

Posted 23 October 2013 - 06:35 PM


You can always do an online scan to supplement your regular anti-virus scan which you did not mention.

I normally recommend Eset and provide these instructions.


Perform a scan with Eset Online Anti-virus Scanner. <- This process may may take several hours, that is normal
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.

    esetsmartinstaller_enu.png

  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and Remove found threats.
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • Please be patient as the scan can take some time to complete...close all programs and do NOT use the computer while the scan is running.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply. If no malware was found you will not get a log.
  • Click the Back button.
  • Click the Finish button.
Note: If you recognize any of the detections as legitimate programs, it's possible they are "false positives" and you can ignore them or get a second opinion if you're not sure. Eset's detection rate is high and can include legitimate files which it considers suspicious, a Risk Tool, Hacking Tool, Potentially Unwanted Program, a possible threat or even Malware (virus/trojan) when that is not the case. Be careful what you choose to remove. If in doubt, ask before taking action.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 godivarides

godivarides
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 24 October 2013 - 01:26 PM

Eset Scan just completed:

 

C:\Users\Sandra\Documents\Downloads\cbsidlm-cbsi134-AutoRun_Disable_by_Endpoint_Protector-ORG-75300368.exe    probably a variant of Win32/CNETInstaller.A application    cleaned by deleting - quarantined
D:\backup\Program Files (x86)\Avira\AntiVir Desktop\apnic.dll    a variant of Win32/Bundled.Toolbar.Ask application    cleaned by deleting - quarantined
D:\backup\Program Files (x86)\Avira\AntiVir Desktop\apntoolbarinstaller.exe    a variant of Win32/Bundled.Toolbar.Ask application    cleaned by deleting - quarantined
D:\backup\Program Files (x86)\Avira\AntiVir Desktop\Offercast_AVIRAV7_.exe    a variant of Win32/Bundled.Toolbar.Ask.D application    cleaned by deleting - quarantined
D:\backup\Users\Sandra\Downloads\ARO2012_bt.exe    a variant of Win32/Bundled.Toolbar.Ask application    cleaned by deleting - quarantined
D:\backup\Users\Sandra\Downloads\avira_free_antivirus_en(1).exe    a variant of Win32/Bundled.Toolbar.Ask application    deleted - quarantined
D:\backup\Users\Sandra\Downloads\avira_free_antivirus_en.exe    a variant of Win32/Bundled.Toolbar.Ask application    deleted - quarantined
D:\backup\Users\Sandra\Downloads\cbsidlm-cbsi4_1_4-Pandora_Recovery-10694796.exe    a variant of Win32/CNETInstaller.A application    cleaned by deleting - quarantined
D:\backup\Users\Sandra\Downloads\cbsidlm-tr1_7-TSR_Watermark_Image_Software-10976931.exe    Win32/DownloadAdmin.D application    cleaned by deleting - quarantined
 

I have left the screen open until your further directions, thank you.



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,916 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:29 PM

Posted 24 October 2013 - 01:36 PM


The scan found items related to various toolbars and add-ons the other scans missed. This entry - "CNETInstaller.A application" - indicates you most likely downloaded and installed other bundled software while using CNET. Its nothing to be overly concerned about but we can run a couple of programs created specifically to deal with and clean up this kind of crap.

Please download and run RKill by Grinler. A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

Important: Do not reboot your computer until you complete the next step.

Please download AdwCleaner by Xplode and save to your Desktop.
  • Double-click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
-- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on each one and uncheck any items you want to keep (except you cannot uncheck Chrome and Firefox preferences lines).


Please download Junkware Removal Tool thisisujrt.gif by thisisu and save it to your Desktop.
  • Close all open programs and shut down any protection/security software now to avoid potential conflicts.
  • Double-click on JRT.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log file named JRT.txt will automatically open and be saved to your Desktop.
  • Copy and paste the contents of JRT.txt in your next reply.
These tools will search for and remove many potentially unwanted programs (PUPs), adware, toolbars, browser hijackers, extensions, add-ons, browser helper objects (BHOs) and other junkware to include many related registry entires (values, keys)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 godivarides

godivarides
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 24 October 2013 - 03:03 PM

Do I reboot after running all 3 programmes: Rkill, Adware and Junkware Removal?

 

Do you want all 3 reports posted here?

 

Thank you.



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,916 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:29 PM

Posted 24 October 2013 - 03:27 PM

Run RKill, then immediately run AdwCleaner.
You should be prompted to reboot after running AdwCleaner.
Then you can just run JRT...no need to rerun RKill.

Just post the logs for JRT and AdwClearner as instructed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 godivarides

godivarides
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 24 October 2013 - 04:58 PM

Adware seems very strange ... there appears to be no action whatsoever .. says" generic search in progress " for a few hours with no movement or progress bar or anything.  I have run this before, so I understand it takes time, but it seems to be frozen.  Could it be due to Comodo firewall?



#12 godivarides

godivarides
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 24 October 2013 - 05:14 PM

I have 12,889 issues showing up with some application error for "Bonjour Service"  which I have no idea what that is .... for over a few months



#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,916 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:29 PM

Posted 24 October 2013 - 06:07 PM

Bonjour (software)
Bonjour: Frequently asked questions (FAQ)

Try running AdwCleaner in safe mode then.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 godivarides

godivarides
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 24 October 2013 - 06:53 PM

I clicked "repair" for Bonjour

 

Uninstalled Comodo Firewall (for now)

 

Rebooted system and tried AdwCleaner - hung up again.  Will run it in Safe Mode, as recommended.



#15 godivarides

godivarides
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 24 October 2013 - 09:40 PM

Could only run AdwCleaner in SafeMode and I'm uncertain if it was finished, since the page was larger than the screen and it wouldn't allow me to scroll down.

 

# AdwCleaner v3.010 - Report created 24/10/2013 at 20:32:33

# Updated 20/10/2013 by Xplode

# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

# Username : Sandra - GT60130712

# Running from : C:\Users\Sandra\Documents\Downloads\AdwCleaner.exe

# Option : Clean

***** [ Services ] *****

 

***** [ Files / Folders ] *****

 

Folder Deleted : C:\ProgramData\Conduit

Folder Deleted : C:\Program Files (x86)\Conduit

Folder Deleted : C:\Program Files (x86)\MixiDJ_V37

Folder Deleted : C:\Users\Sandra\AppData\Local\Conduit

Folder Deleted : C:\Users\Sandra\AppData\Local\MixiDJ_V37

Folder Deleted : C:\Users\Sandra\AppData\LocalLow\Conduit

Folder Deleted : C:\Users\Sandra\AppData\LocalLow\PriceGong

Folder Deleted : C:\Users\Sandra\AppData\LocalLow\MixiDJ_V37

File Deleted : C:\END

 

***** [ Shortcuts ] *****

 

***** [ Registry ] *****

Key Deleted : HKCU\Toolbar

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3298573

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EEF3855C-FC2D-41E6-8D91-D368F51B3055}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6C84BABA-BF9D-4E42-A684-5288580631D2}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEF3855C-FC2D-41E6-8D91-D368F51B3055}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEF3855C-FC2D-41E6-8D91-D368F51B3055}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6C84BABA-BF9D-4E42-A684-5288580631D2}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEF3855C-FC2D-41E6-8D91-D368F51B3055}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6C84BABA-BF9D-4E42-A684-5288580631D2}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6C84BABA-BF9D-4E42-A684-5288580631D2}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{543C06C0-975A-4AEC-BFC6-741B455ED9E0}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ADA15396-2198-46B7-A1A4-8D4B68607593}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EEF3855C-FC2D-41E6-8D91-D368F51B3055}]

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EEF3855C-FC2D-41E6-8D91-D368F51B3055}]

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EEF3855C-FC2D-41E6-8D91-D368F51B3055}]

Key Deleted : HKCU\Software\Conduit

Key Deleted : HKCU\Software\smartbar

Key Deleted : HKCU\Software\MixiDJ_V37

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit

Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong

Key Deleted : HKCU\Software\AppDataLow\Software\MixiDJ_V37

Key Deleted : HKLM\Software\Conduit

Key Deleted : HKLM\Software\MixiDJ_V37

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16720

 

-\\ Mozilla Firefox v24.0 (en-US)

 

[ File : C:\Users\Sandra\AppData\Roaming\Mozilla\Firefox\Profiles\ixkytvf4.default\prefs.js ]

 

Line Deleted : user_pref("CT3298573_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\":1382467175454,\"isWithState\":\"\",\"timeFromStart\":0,\"timeFromPrev\":0}]");

Line Deleted : user_pref("Smartbar.ConduitHomepagesList", "");

Line Deleted : user_pref("Smartbar.ConduitSearchEngineList", "");

Line Deleted : user_pref("Smartbar.ConduitSearchUrlList", "");

Line Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3298573");

Line Deleted : user_pref("plugin.state.npconduitfirefoxplugin", 2);

Line Deleted : user_pref("smartbar.machineId", "GQDUTTMDN2GFPBXXN0WEVVGWAVS");

 

*************************

 

AdwCleaner[R0].txt - [1906 octets] - [03/09/2013 14:44:37]

AdwCleaner[R1].txt - [900 octets] - [06/09/2013 11:51:04]

AdwCleaner[R2].txt - [959 octets] - [09/09/2013 15:08:50]

AdwCleaner[R3].txt - [1113 octets] - [02/10/2013 09:49:23]

AdwCleaner[R4].txt - [1197 octets] - [02/10/2013 16:50:59]

AdwCleaner[R5].txt - [283 octets] - [24/10/2013 14:04:31]

AdwCleaner[R6].txt - [286 octets] - [24/10/2013 15:40:34]

AdwCleaner[R7].txt - [283 octets] - [24/10/2013 16:45:10]

AdwCleaner[R8].txt - [4818 octets] - [24/10/2013 20:12:53]

AdwCleaner[S0].txt - [1993 octets] - [03/09/2013 14:45:04]

AdwCleaner[S1].txt - [1019 octets] - [09/09/2013 16:10:34]

AdwCleaner[S2].txt - [1177 octets] - [02/10/2013 10:57:19]

AdwCleaner[S3].txt - [1259 octets] - [02/10/2013 16:52:02]

AdwCleaner[S4].txt - [4597 octets] - [24/10/2013 20:32:33]

########## EOF - C:\AdwCleaner\AdwCleaner[S4].txt - [4657 octets] ##########






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users