Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think I'm Infected With Various Infections.


  • Please log in to reply
34 replies to this topic

#1 pacificoast

pacificoast

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Location:Baltimore, Maryland
  • Local time:08:28 PM

Posted 16 July 2006 - 11:25 AM

Hi.

I'm running Windows XP (service pack two). I believe that my computer is infected with various forms of infection, including a keylogger, a backdoor, a trojan and lots of tracking cookies.

Several things point to this, but I need to know if the online scanning program, eTrust Pestscan is reliable because when I ran it last night, it indicated that I have the above listed problems. I have looked in the registry and can't determine if this is so, but in looking I found other suspicious looking entries with very odd names. I think this computer is infected.

As of today eTrust Pestscan shows right now that I supposedly have the following problems/infections:

Level Pests Type
Actual Spy 2.8 Key Logger
Key Logger "Actual Spy 2.8" found in:
Key "hkey_local_machine \software\microsoft\windows\currentversion\policies\explorer\run"
More Info
Backdoor.Bifrose Backdoor
Backdoor "Backdoor.Bifrose" found in:
Key "hkey_local_machine \software\microsoft\windows\currentversion\uninstall\xvid"
More Info
KaZaA P2P
P2P "KaZaA" found in:
Key "hkey_current_user \software\kazaa"
More Info
Com.com Tracking Cookie
Tracking Cookie "Com.com" found in:
Cookie "laurie gassman@com[1].txt" File "C:\Documents and Settings\Laurie Gassman\Cookies\laurie gassman@com[1].txt"
More Info


I'm suspicous because for one thing, my computer has been running terribly slowly.

Secondly, I had a sort of system instability and lost several years worth of email on my local computer in my Outlook Express program just a few days ago. My virus scanning program, Trend Micro PC-cillin, popped up at that time and said there was a system instability and it had reverted to an earlier *saved* profile. These are my words as I can't recall the exact wording.

I have been trying to find out what happened. I finally turned to trying free scanning programs, as it appeared that my virus/spyware protection program had failed.

I am not running Sygate any longer, as it fails to continue to work. I am running the firewall that comes with the Trend Micro-PCcillin.

I would appreciate any possible help that you could give me.

Pacificoast

BC AdBot (Login to Remove)

 


#2 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:06:28 PM

Posted 16 July 2006 - 11:35 AM

I suggest you post a HijackThis log for examination.
A member of the HijackThis Team will walk you through, step by step, how to disinfect your computer.
Once you post your log, don't make any changes to your system, as that could change the results of the posted log, making it difficult to properly clean your system.

Read Preparation Guide for use before posting a HijackThis Log.
Please read, and follow, all directions carefully!!!

Then, run a log, and post it in the HijackThis forum, at this link. Do not, fix anything, yet.
A member, of the HJT Team, will help you out.
It may take a while to get a response, because the HJT Team are very busy. Please, be patient, as these people are volunteers. They will help you out, as soon as possible.

NOTE:
Once you have made the post, please, DO NOT make another post in the HJT forum, until it has been responded to by a member of the HJT Team. The first thing they look for, when looking for logs to reply to, is 0 replies. If you make another post, there will be 1 reply. The team member, glancing over the replies, might assume someone is already helping you out, and will not respond. So, just make your post, and let it sit there, until a team member responds. This way you will be taken care of, in the most timely manner.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#3 pacificoast

pacificoast
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Location:Baltimore, Maryland
  • Local time:08:28 PM

Posted 18 July 2006 - 11:15 AM

Hi tg1911,

Sorry to be so long in getting back, but this computer is running very slowly, and I have been having trouble getting the online scans to function.

I am down to the McAfee Avert Stinger program, but I have a problem. It says to turn off all System Restore points. When I get to that point, my computer warns me that if I do that, that all restore points will be removed from my system. Do I really want to do that?

Thanks....
pacificoast

PS- is it okay to restart my computer..... as it's been running for several days and is so slow it's painful?

Edited by pacificoast, 18 July 2006 - 11:50 AM.


#4 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:06:28 PM

Posted 18 July 2006 - 11:58 AM

I wouldn't turn off System Restore until your sure your computer is clean.
If something were to go wrong during the removal/cleanup process you wouldn't have anything to fall back on.
An infected restore point is better than no restore point at all.
You'll just have to start the cleaning process again.
Better than having to reinstall the operating system, and loose everything you have saved on your computer.

After your system has been thoroughly cleaned, then turn off System Restore, reboot, enable System Restore and set a new restore point.

I wouldn't restart until the cleaning process is complete.

Edited by tg1911, 18 July 2006 - 12:25 PM.

MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#5 pacificoast

pacificoast
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Location:Baltimore, Maryland
  • Local time:08:28 PM

Posted 18 July 2006 - 03:58 PM

Thanks tg1911,

It said to disable the system restore as it says that an infected system restore file could be saved as a backup file. But I agree. I just hope that in selecting the x on the box that I didn't already do that. I didn't hit *apply* but I am no longer getting that warning about how it will delete all backup files.

I have to back up a bit here, as there is a change in my findings. I ran Bit Defender and it found no problems. I was finally able to get Trend Micro online to work today, and it found a load of problems, some of which I am not in the least bit certain of how to handle. I haven't done anything...... yet. And the page is still open (cross fingers!).

I believe that I ran the java version, and am unable to copy and save the information for you, but I have copied it to notebook and am pasting my copy below:

Detected grayware/spyware:

ADWARE_COUPONS
ADWARE_SAVENOW
FREELOADER_SMITFRAUD
SPYWARE_KEYL_PCAGENT
SPYWARE_TRAK_PWSTEALER
ADWARE_BRILLIANTDIGITALENTERTAINMENT
ADWARE_GOZILLA
ADWARE_BHOT-IWON
ADWARD_SEARCHAND
HTTP_cookies

Detected vulnerabilities:
Vulnerability in Windows Media Player could allow
remote Code Execution (911565)

Cumulative Security Update for Internet Explorer
(916281)

Vulnerability in ART Image Rendering Could Allow
Remote Code Execution (917344)

Vulnerability in Microsoft JScript Could Allow
Remote Code Execution (911280)

Vulnerability in Routing and Remote Access Could
Allow Remote Execution (911280)

Vulnerability in Server Message Block Could Allow
Elevation of Priviledge (914389)

Vulnerability in TCP/IP Could Allow Remote Code
Execution (917953)
________________________________

Please advise me of what to do, particularly on the Detected vulnerabilities section.

Is it okay for me to use TREND Micro's site to delete the grayware/adware files?

Thanks,
pacificoast

Edited by pacificoast, 18 July 2006 - 04:02 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:28 PM

Posted 18 July 2006 - 06:15 PM

You should allow Trend Micro to remove all the detected malware?

The vulnerabilities identified are Windows updates and patches that you have not downloaded and applied to your system. This part of the scan is advisory/informational but getting your system fully updated with all the patches is something you need to do.

I would also recommend that you download and scan with Ewido Anti-Spyware v4.0 in "SAFE MODE".
Print out the Ewido Install and Scan Instructions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 pacificoast

pacificoast
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Location:Baltimore, Maryland
  • Local time:08:28 PM

Posted 18 July 2006 - 07:01 PM

Thanks quietman7,

I am a bit confused about the Detected vulnerabilities, as I regularly use the Microsoft Update site. But somehow these patches don't seem to come up when I use it. Is that the norm?

Would you try to resolve all of the Detected vulnerabilities before hitting the *Clean Now* button on the TREND Micro site? (TOO LATE!). :thumbsup:

The installation of the patches that come from Microsoft that address the Security Vulnerabilities, are confusing, to say the least. And I need some help here as well.

Am I best in using Run, instead of Save? And will it automatically reboot my computer?
I ask because when I tried to use Save for one of the patches, it resulted in a file with an unknown extension that I was unable to make functional.

And, lastly for now, would it be okay to put this notebook computer in *Standby* or does that do what rebooting does, in terms of having to start over on this disinfection process??????

Thanks for any help,
pacificoast

Edited by pacificoast, 18 July 2006 - 08:06 PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:28 PM

Posted 19 July 2006 - 07:18 AM

Detected vulnerabilities are a normal part of Trend Micro's report. However, I recommend that you go directly to Windows Update and check there for any patches rather than rely on Trend Micro.

If Trend Micro is reporting a vulnerability that Windows update does not show, then it may be an optional or moderate update rather than a critical. To get details on the particular vulnerability go to Windows Security & Updates and perform a search. Enter the number code provided at the end of the vulnerability in the search box (use All downloads in the drop down box) at the top and click "Go".

Example:
Vulnerability in Microsoft JScript Could Allow
Remote Code Execution (911280)

A search of 911280 yeilds this. You will notice that there are additional links to the applicable Security Bulletin and Knowledge Base Article where you can read more information about the patch.

Standby reduces the power consumption of your computer by cutting power to hardware components you are not using. Standby can cut power to peripheral devices, your monitor, and your hard drive, but maintains power to your computer's memory so you don't lose your work. However, I have heard users report problems when trying to come out of standby or hibernate.

Anyway, rebooting may be necessary at certain points in cleaning various infections so that does not mean you need to start over. Generally, not rebooting is a concern when we have identified a piece of malware that renames itself after a reboot, thus making it more difficult to remove.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 pacificoast

pacificoast
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Location:Baltimore, Maryland
  • Local time:08:28 PM

Posted 19 July 2006 - 10:53 AM

Thanks quietman7,

I read your advice and appreciate it.

I went to the Microsoft Updates site, and they have come up with a list of updates for me, but they fall into the High Priority Updates category, and aren't critical, though they generally address security problems with Windows based systems/programs.

Would you install these?

Thanks,
pacificoast

Edited by pacificoast, 19 July 2006 - 10:53 AM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:28 PM

Posted 19 July 2006 - 11:05 AM

"High priority" updates are a new category on the Windows Update Web site, along with optional software and hardware categories. High priority updates can include critical and security-related updates, service packs, and update rollups...If you choose Express install, Windows Update automatically lists all high priority updates for your PC. But if you want to install all available updates at one time, including optional updates and drivers, you can now select them with one click after you choose Custom Install.

http://www.microsoft.com/windowsxp/sp2/whatsnewforwu.mspx

If they are applicable to your OS, I would install them all.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 pacificoast

pacificoast
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Location:Baltimore, Maryland
  • Local time:08:28 PM

Posted 19 July 2006 - 04:13 PM

Thanks quietman7,

I have done the Windows Updates and am down the the hijackThis log... but.....

While I have a hijackThis log, but following the link on this page, am unsure as to which thread to post the log file to. Maybe I'm just getting tired.....

Which thread does it go under on this link:http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

I see my topic there with a red folder.

Thanks,
pacificoast

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:28 PM

Posted 19 July 2006 - 06:09 PM

Post a log in the HijackThis Logs and Analysis Forum, not here, for assistance by the HJT Team Experts.

Start a new topic, give it a relevant title and post the log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix.

It may take a while to get a response because the HJT Team members are very busy. Please be patient as they are volunteers who will help you out as soon as possible. Once you have made your post, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have no replies as this makes it easier for them to identify those who have not been helped. If you post another response, a team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 pacificoast

pacificoast
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Location:Baltimore, Maryland
  • Local time:08:28 PM

Posted 19 July 2006 - 06:51 PM

Thanks again quietman7,

I have posted the hijackThis log to the appropriate site... I hope!

I have updated Windows with the patches from the Windows Update site, and thank you for your patience in explaining how to check out each of the supposed vulnerabilities, and to make decisions about which might be worth pursuing. You were very gracious with your time and talent as you have been all along.

Should I reboot this computer so that the updates can take effect?

And how long can a notebook computer run before it's a good idea to give it a rest? This one is feeling like it needs a break. I have the sense that notebooks were not meant to run as many consecutive hours as desktops. Am I right? :thumbsup:

Please advise.

Thanks again,
pacificoast

PS- is Oldtimer still here?

Edited by pacificoast, 19 July 2006 - 07:02 PM.


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:28 PM

Posted 19 July 2006 - 07:00 PM

I'm not a notebook user so I'm not sure how long you should keep it running without giving it a rest. I sure don't let my desktop pc go more than a few days without doing a reboot.

Good ahead and reboot so your updates can take affect. Just keep in mind that after posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files on your own, etc.) unless advised by a HJT Team member. Doing so can result in system changes which may not show it the log you already posted. Further, any modification you make may complicate the malware removal process and could lead to your system being damaged further.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 pacificoast

pacificoast
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Location:Baltimore, Maryland
  • Local time:08:28 PM

Posted 19 July 2006 - 07:09 PM

Thank you, quietman7,

I just have the sense that this thing needs to cool off and regain some vitality (speed) as well as the need to allow the Windows updates to take effect. :thumbsup:

I will heed your advice.

Thanks again,
pacificoast




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users