Sign in to follow this  
Followers 0
Quolli

Malware paranoia

4 posts in this topic

I've recently been infected by several trojans. I managed to remove them all but I'm still a bit paranoid that there may be traces or something left.

I have scanned using Malware Bytes' Free and SuperAntiSpyware free twice. Once in "normal" mode and once in Safe Mode with both programs.

Why? Because my Desktop items don't "save". I move them in the order that I want, but every time I refresh my desktop they snap back into the default Alphabetical Order.

Here is my MBAM log (This is from the Normal Mode scan. The Safe Mode scan picked up nothing but SuperAntiSpyware did):

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.06.14.03

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Sakura :: DORAEMON [administrator]

14/06/2012 1:16:46 PM

mbam-log-2012-06-14 (13-16-46).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 399972

Time elapsed: 58 minute(s), 27 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 1

HKCR\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Bad: (C:\Documents and Settings\Sakura\Local Settings\Application Data\{49081aa4-08d4-bff3-6b2e-67656aee082c}\n.) Good: (%SystemRoot%\system32\shdocvw.dll) -> Quarantined and repaired successfully.

Folders Detected: 0

(No malicious items detected)

Files Detected: 8

C:\Documents and Settings\Sakura\Local Settings\Application Data\{49081aa4-08d4-bff3-6b2e-67656aee082c}\n (Trojan.Agent.MRGGen) -> Delete on reboot.

C:\Documents and Settings\Sakura\Local Settings\Application Data\{49081aa4-08d4-bff3-6b2e-67656aee082c}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.

C:\Documents and Settings\Sakura\Local Settings\Application Data\{49081aa4-08d4-bff3-6b2e-67656aee082c}\U\80000000.@ (Trojan.Sirefef) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{1FABC993-CAF4-4E0D-90EB-9C7372F68EF9}\RP729\A0102268.ini (Trojan.0access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{1FABC993-CAF4-4E0D-90EB-9C7372F68EF9}\RP729\A0102258.ini (Trojan.0access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{1FABC993-CAF4-4E0D-90EB-9C7372F68EF9}\RP729\A0102280.ini (Trojan.0access) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\msvcrrt20.dll (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\assembly\GAC\Desktop.ini (Trojan.0access) -> Delete on reboot.

(end)

And here is my SuperAntiSpyware scan (From Safe Mode):

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 06/15/2012 at 00:30 AM

Application Version : 5.0.1150

Core Rules Database Version : 8732

Trace Rules Database Version: 6544

Scan type : Complete Scan

Total Scan Time : 09:35:54

Operating System Information

Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)

Administrator

Memory items scanned : 307

Memory threats detected : 0

Registry items scanned : 33354

Registry threats detected : 0

File items scanned : 181698

File threats detected : 35

Adware.Tracking Cookie

C:\Documents and Settings\Sakura\Cookies\XLGLUDQW.txt [ /doubleclick.net ]

C:\Documents and Settings\Sakura\Cookies\HEHPB15V.txt [ /questionmarket.com ]

C:\Documents and Settings\Sakura\Cookies\FEKIY76C.txt [ /statcounter.com ]

C:\Documents and Settings\Sakura\Cookies\Q4C8S4HP.txt [ /revsci.net ]

C:\Documents and Settings\Sakura\Cookies\M36WD5F6.txt [ /adxpose.com ]

C:\Documents and Settings\Sakura\Cookies\NPMV9VZS.txt [ /traffic.34556y5n.info ]

C:\Documents and Settings\Sakura\Cookies\5HRGR38I.txt [ /ads.adoptimized.com ]

C:\Documents and Settings\Sakura\Cookies\GNOOA2BR.txt [ /overture.com ]

C:\Documents and Settings\Sakura\Cookies\G4QWF8K8.txt [ /realmedia.com ]

C:\Documents and Settings\Sakura\Cookies\XVRR40UD.txt [ /ad.yieldmanager.com ]

C:\Documents and Settings\Sakura\Cookies\XU74T9Q7.txt [ /ox-d.fondnessmedia.com ]

C:\Documents and Settings\Sakura\Cookies\S7VJK2VE.txt [ /imrworldwide.com ]

C:\Documents and Settings\Sakura\Cookies\BACYFPCB.txt [ /cdn.jemamedia.com ]

C:\Documents and Settings\Sakura\Cookies\XM3D6PHA.txt [ /serving-sys.com ]

C:\Documents and Settings\Sakura\Cookies\ZFGWGNKJ.txt [ /in.getclicky.com ]

C:\Documents and Settings\Sakura\Cookies\M2LMCWIN.txt [ /advertising.ezanga.com ]

C:\Documents and Settings\Sakura\Cookies\XJ3WZ1BZ.txt [ /atdmt.com ]

C:\Documents and Settings\Sakura\Cookies\KORQAMSX.txt [ /ru4.com ]

C:\Documents and Settings\Sakura\Cookies\8CCDF1IL.txt [ /mediaplex.com ]

C:\Documents and Settings\Sakura\Cookies\0A67HHU5.txt [ /adserver.adtechus.com ]

C:\Documents and Settings\Sakura\Cookies\8UI4TEO3.txt [ /dc.tremormedia.com ]

C:\Documents and Settings\Sakura\Cookies\FSLLJG21.txt [ /stat.onestat.com ]

C:\Documents and Settings\Sakura\Cookies\QLJ31XLX.txt [ /bs.serving-sys.com ]

C:\Documents and Settings\Sakura\Cookies\L4Z7JHUE.txt [ /media6degrees.com ]

C:\Documents and Settings\Sakura\Cookies\L3WGR5ON.txt [ /lucidmedia.com ]

C:\Documents and Settings\Sakura\Cookies\V0KKZDZI.txt [ /apmebf.com ]

C:\Documents and Settings\Sakura\Cookies\G2VSNSG6.txt [ /invitemedia.com ]

C:\Documents and Settings\Sakura\Cookies\FG3RA9EK.txt [ /statse.webtrendslive.com ]

ia.media-imdb.com [ C:\DOCUMENTS AND SETTINGS\SAKURA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ZWMDNNKT ]

media.mtvnservices.com [ C:\DOCUMENTS AND SETTINGS\SAKURA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ZWMDNNKT ]

objects.tremormedia.com [ C:\DOCUMENTS AND SETTINGS\SAKURA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ZWMDNNKT ]

s0.2mdn.net [ C:\DOCUMENTS AND SETTINGS\SAKURA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ZWMDNNKT ]

secure-us.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\SAKURA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ZWMDNNKT ]

Trojan.Agent/Gen-Sirefef

C:\DOCUMENTS AND SETTINGS\SAKURA\LOCAL SETTINGS\APPLICATION DATA\{49081AA4-08D4-BFF3-6B2E-67656AEE082C}\U\80000032.@

Trojan.Agent/Gen-Nullo[short]

C:\SYSTEM VOLUME INFORMATION\_RESTORE{1FABC993-CAF4-4E0D-90EB-9C7372F68EF9}\RP730\A0102315.INI

Share this post


Link to post
Share on other sites

I'm quite sure it's a registry error, but if someone could help me confirm that it's actually a registry error and not some nasty virus that would be great.

Share this post


Link to post
Share on other sites

Hello Quolli and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at support@malwarebytes.org or here (http://helpdesk.malwarebytes.org/home). If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

First of first, let's take care for your system, because is still infected.

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Step 1

Download the latest version of TDSSKiller from here and save it to your Desktop.

  1. Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    tdss_1.jpg
  2. Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
    tdss_2.jpg
  3. Click the Start Scan button.
    tdss_3.jpg
  4. If a suspicious object is detected, the default action will be Skip, click on Continue.
    tdss_4.jpg
  5. If malicious objects are found, they will show in the Scan results and offer three (3) options.
  6. Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    tdss_5.jpg
  7. Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Step 2

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Please tick the Scan All users. Next, click the Quick Scan button. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.

In your next reply, post the following log files:

  • TDSSKiller log
  • OTL log with Extras.txt

Share this post


Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.