Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] This Computer is Being Attacked


  • This topic is locked This topic is locked
13 replies to this topic

#1 Lexxie

Lexxie

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 08 November 2009 - 10:01 PM

Dear Helpers, Recently my computer was infected with some kind of Trojan, in which a small banner will popup every 5 minutes or so which says: THIS COMPUTER IS BEING ATTACKED". (The Banner has a star wand on it). I've tried to search through the processes in task manager and manage to find the processes which is global.exe, system.exe and svchost.exe. They are found in dllcache\recycler (which i rename and deleted it for few times, but after a few minutes they reappear again, and till now I'm not able to determine the root of the cause of these processes). Can any one help me to remove this malware? Thank you very much. :) Best Regards, Lexxie.

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 09 November 2009 - 04:39 PM

Hello and Welcome to the forum.

Download Combofix from any of the links below but rename it to ABCD.exe before saving it to your desktop.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Link 1
Link 2


Double click on the ABCD.exe ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 Lexxie

Lexxie

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 10 November 2009 - 12:26 AM

I've followed your instructions in downloading the combofix.exe software and rename it as ABCD.exe before downloading it to my desktop. However, when i start the application it states that the software has been compromised and there'sa virus call virut will enter my computer. Then the program is no more there. Please shed some light on this. Thank you very much :)

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 November 2009 - 03:57 PM

You are infected with a polymorphic file infector.
This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html.

you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:
  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps

    the best thing you can do is to backup, preferably to CD, all your important data, documents, pictures, movies, and songs.

    DO NOT backup any applications or installers and DO NOT backup any files with the following extensions:
    •.exe
    •.scr
    •.htm
    •.html
    •.xml
    •.zip
    •.rar

    Please see this information by miekiemoes:
    http://miekiemoes.bl...s-throwing.html

    If you want to try and remove it, try this.

    Download Dr.Web CureIt to the desktop:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe[list]
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 Lexxie

Lexxie

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 12 November 2009 - 03:07 AM

Thank you very much for the detailed info.

I have tried to use Dr. Web CureIt, and the log file can be downloaded from the link below:
http://www.2shared.c...9e3/CureIt.html

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 November 2009 - 06:58 AM

I'm at work and that site is blocked. Use copy / paste and post the scan results.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 Lexxie

Lexxie

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 12 November 2009 - 06:14 PM

The report is too long, I'm not able to upload to this post. However the scanned result is as shown below:: ----------------------------------------------------------------------------- Scan statistics ----------------------------------------------------------------------------- Scanned: 6228 Infected: 2 Modifications: 0 Suspicious: 0 Adware: 0 Dialers: 0 Jokes: 0 Riskware: 0 Hacktools: 0 Cured: 0 Deleted: 2 Renamed: 0 Moved: 0 Ignored: 0 Scan speed: 5823 Kb/s Scan time: 00:04:39 ----------------------------------------------------------------------------- After I tried with Dr. Web CureIt, the virus is still in the computer, When I run D.r Web CureIt again, the same virus was detected.

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 November 2009 - 08:21 PM

Lets try this

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    Posted Image
  • When the scan is complete, click OK, then Show Results to view the results.
  • Posted Image
  • Then click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Also please describe how your computer behaves at the moment.


Please don't attach the scans / logs, use "copy/paste". .

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#9 Lexxie

Lexxie

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 13 November 2009 - 03:01 AM

Actually, I don't have internet access for the computer that has been infected. It is my equipment computer (That's why it's so easily infected by viruses) I've tried to use doctor web again and the report is as follows: autorun.inf;C:\WINDOWS\system32\dllcache;Win32.HLLW.Autoruner.5194;Deleted.; autorun.inf;C:\;Win32.HLLW.Autoruner.5194;Deleted.; autorun.inf;C:\;Win32.HLLW.Autoruner.5194;Deleted.; UnDocked.html;C:\Empower\HTML\en\Promain\UnDocked;Win32.Virut;Cured.; icwconn1.exe;C:\Program Files\Internet Explorer\Connection Wizard;Win32.Virut.56;Cured.; javaws.exe;C:\Program Files\Java\jre1.5.0_06\bin;Win32.Virut.56;Cured.; conf.exe;C:\Program Files\NetMeeting;Win32.Virut.56;Cured.; msimn.exe;C:\Program Files\Outlook Express;Win32.Virut.56;Cured.; A0010112.EXE;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010113.EXE;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010114.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010115.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010116.EXE;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010117.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010118.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010119.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010120.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010121.EXE;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010122.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010123.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010124.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010125.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010126.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010127.EXE;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010128.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010129.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010130.vbs;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.HLLW.Autoruner.5194;Deleted.; A0010131.hlp;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010132.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010133.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010134.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010135.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010136.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010137.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010138.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010139.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010140.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010141.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010142.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010143.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010144.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010145.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010146.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010147.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010148.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010149.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; A0010150.exe;C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP65;Win32.Virut.56;Cured.; Boom.vbs;C:\WINDOWS\Cursors;Win32.HLLW.Autoruner.5194;Deleted.; autorun.inf;C:\WINDOWS\system32\dllcache;Win32.HLLW.Autoruner.5194;Deleted.;

#10 Lexxie

Lexxie

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 13 November 2009 - 03:11 AM

How my computer behaves, as follows: Actually the problem arises when some of my programmes are not functioning. Most probably infected by a Trojan. Then it has a pop up banner which states "THIS COMPUTER IS BEING ATTACKED" - A blue coloured banner moving diagonally with a wand at its side. Some of my folders on desktop and in my documents folders are all turned into application (.exe) file and alot of my data lost.

#11 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 November 2009 - 07:46 PM

Lets see if we can fix the exe files.

Vista users:
1. These tools MUST be run from the executable. (.exe)
2. With Admin Rights (Right click, choose "Run as Administrator") every time you run them



1) exeHelper
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#12 Lexxie

Lexxie

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 16 November 2009 - 11:22 PM

I HAVE RUN THE APPLICATION FOR 3 TIMES BECAUSE I DON'T SEE ANY DELETION OF .EXE FILES: PLEASE HELP ME ON THIS MATTER, THANK YOU VERY MUCH! exeHelper by Raktor Build 20091021 Run at 12:53:18 on 11/17/09 Now searching... Checking for numerical processes... Checking for bad processes... Checking for bad files... Checking for bad registry entries... Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished-- exeHelper by Raktor Build 20091021 Run at 12:53:48 on 11/17/09 Now searching... Checking for numerical processes... Checking for bad processes... Checking for bad files... Checking for bad registry entries... Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished-- exeHelper by Raktor Build 20091021 Run at 12:54:27 on 11/17/09 Now searching... Checking for numerical processes... Checking for bad processes... Checking for bad files... Checking for bad registry entries... Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished--

#13 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 17 November 2009 - 07:20 AM

Try combofix (ABCD) again.

Hello and Welcome to the forum.

Download Combofix from any of the links below but rename it to ABCD.exe before saving it to your desktop.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Link 1
Link 2


Double click on the ABCD.exe ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.


The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#14 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 26 November 2009 - 05:35 PM

Due to inactivity this topic will be closed. If you need help please start a new thread.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users