39 replies to this topic

[Tomk]

Topic reopened at the request of the original poster.

[abu_jaaneb]

Tomk, First of all - my apologies for such a long delay in response. I was working on this thing for so long that I got tired of doing it and kidna needed a break. I was able to get a successful scan from the Kasperky Online finally. I also had a critical scan done a few days ago that I have attached. It just takes like forever this scan to finish. It did, however found multiple infections in my computer as you see in the log. Let me know what you think. I will make a point now to get this done with and over soon for you as well. Thanks.

Attached Files

•  Kaspersky_Critical_Scan_log.txt   1.1KB   275 downloads
•  kaspersky_Full_Scan_Log.txt   7.28KB   606 downloads

[Tomk]

abu_jaaneb,

Your computer appears to have been infected by a backdoor trojan. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

• Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
• Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
• Consider what other private information could possibly have been taken from your computer and take appropriate steps

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

If you wish to reformat then please let me know in your next response, I'll now continue with instructions for cleaning.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)


COMBOFIX-Script

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  File::
  C:\WINDOWS\system32\ie7br.dll
  C:\WINDOWS\temp\txpxr_724405508328.b1k
  C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KNYMAWJ5\ms[1].bin

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

[abu_jaaneb]

Hello Tomk, Please find the Combofix log attached. It did not let me paste here as it exceed the post limit.

Attached Files

•  combofix_log_110609.txt   429.07KB   321 downloads

[Tomk]

abu_jaaneb,

What did you do? It looks like you did a system restore?

COMBOFIX-Script

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  File::
  c:\windows\ayixesabejuko.dll
  c:\windows\system32\lahozunu.dll
  
  Registry::
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "Knoyucinepu"=-
  "litasusepa"=-

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

[abu_jaaneb]

TomK, I followed the instructions and cleaned the folders using ATF cleaner and than dragged and dropped the script file on Combofix.exe. Combo fix ran for about 20-30 mins and I posted the log thereafter. There was no system restore involved now or ever since I started having this problem. I have re-run will new instructions. Log included in the attachment.

Attached Files

•  ComboFix_110609_II.txt   13.83KB   298 downloads

[Tomk]

abu_jaaneb, Please update Malwarebytes and run a new scan. Also please tell me how things are running now.

[abu_jaaneb]

Hello Tomk, I did the full scan. Please see the log below. My laptop is now working fine as usual. I wasn't using it untill yesterday. I am thinking of doing a new install of the XP OS but don't have the CD for it so I am thinking of doing the Dell factory restore or something like that before I start using it again. Is it okay to use to this machine now as usual or you think there still are some serious infections remaining ? Malwarebytes' Anti-Malware 1.41 Database version: 3118 Windows 5.1.2600 Service Pack 3 11/7/2009 2:46:30 PM mbam-log-2009-11-07 (14-46-30).txt Scan type: Full Scan (C:\|D:\|E:\|) Objects scanned: 294420 Time elapsed: 57 minute(s), 10 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\denotatav (Trojan.Vundo.H) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

[Tomk]

abu_jaaneb,

We can't ever be 100% certain but Log looks good


Time for some housekeeping

• Click START then RUN
• Now type Combofix /uninstall in the runbox and click OK
• Note the space between the X and the U, it needs to be there.
• 

The above procedure will:

• Implement some cleanup procedures.
• Reset System Restore.

Please re-enable any security that was disabled.

Now to remove most of the tools that we have used in fixing your machine:

• Make sure you have an Internet Connection.
• Download OTC to your desktop and run it
• A list of tool components used in the cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
• Click Yes to begin the cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

Go ahead and delete any tools that remain.


The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.

Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein


Also: "How to prevent malware"
by miekiemoes

Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved.

[Tomk]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.