Quolli Posted June 15, 2012 ID:560638 Share Posted June 15, 2012 I've recently been infected by several trojans. I managed to remove them all but I'm still a bit paranoid that there may be traces or something left.I have scanned using Malware Bytes' Free and SuperAntiSpyware free twice. Once in "normal" mode and once in Safe Mode with both programs.Why? Because my Desktop items don't "save". I move them in the order that I want, but every time I refresh my desktop they snap back into the default Alphabetical Order.Here is my MBAM log (This is from the Normal Mode scan. The Safe Mode scan picked up nothing but SuperAntiSpyware did):Malwarebytes Anti-Malware 1.61.0.1400www.malwarebytes.orgDatabase version: v2012.06.14.03Windows XP Service Pack 3 x86 NTFSInternet Explorer 8.0.6001.18702Sakura :: DORAEMON [administrator]14/06/2012 1:16:46 PMmbam-log-2012-06-14 (13-16-46).txtScan type: Full scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2PScan options disabled:Objects scanned: 399972Time elapsed: 58 minute(s), 27 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 1HKCR\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Bad: (C:\Documents and Settings\Sakura\Local Settings\Application Data\{49081aa4-08d4-bff3-6b2e-67656aee082c}\n.) Good: (%SystemRoot%\system32\shdocvw.dll) -> Quarantined and repaired successfully.Folders Detected: 0(No malicious items detected)Files Detected: 8C:\Documents and Settings\Sakura\Local Settings\Application Data\{49081aa4-08d4-bff3-6b2e-67656aee082c}\n (Trojan.Agent.MRGGen) -> Delete on reboot.C:\Documents and Settings\Sakura\Local Settings\Application Data\{49081aa4-08d4-bff3-6b2e-67656aee082c}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.C:\Documents and Settings\Sakura\Local Settings\Application Data\{49081aa4-08d4-bff3-6b2e-67656aee082c}\U\80000000.@ (Trojan.Sirefef) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{1FABC993-CAF4-4E0D-90EB-9C7372F68EF9}\RP729\A0102268.ini (Trojan.0access) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{1FABC993-CAF4-4E0D-90EB-9C7372F68EF9}\RP729\A0102258.ini (Trojan.0access) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{1FABC993-CAF4-4E0D-90EB-9C7372F68EF9}\RP729\A0102280.ini (Trojan.0access) -> Quarantined and deleted successfully.C:\WINDOWS\system32\msvcrrt20.dll (Trojan.Dropper) -> Quarantined and deleted successfully.C:\WINDOWS\assembly\GAC\Desktop.ini (Trojan.0access) -> Delete on reboot.(end)And here is my SuperAntiSpyware scan (From Safe Mode):SUPERAntiSpyware Scan Loghttp://www.superantispyware.comGenerated 06/15/2012 at 00:30 AMApplication Version : 5.0.1150Core Rules Database Version : 8732Trace Rules Database Version: 6544Scan type : Complete ScanTotal Scan Time : 09:35:54Operating System InformationWindows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)AdministratorMemory items scanned : 307Memory threats detected : 0Registry items scanned : 33354Registry threats detected : 0File items scanned : 181698File threats detected : 35Adware.Tracking CookieC:\Documents and Settings\Sakura\Cookies\XLGLUDQW.txt [ /doubleclick.net ]C:\Documents and Settings\Sakura\Cookies\HEHPB15V.txt [ /questionmarket.com ]C:\Documents and Settings\Sakura\Cookies\FEKIY76C.txt [ /statcounter.com ]C:\Documents and Settings\Sakura\Cookies\Q4C8S4HP.txt [ /revsci.net ]C:\Documents and Settings\Sakura\Cookies\M36WD5F6.txt [ /adxpose.com ]C:\Documents and Settings\Sakura\Cookies\NPMV9VZS.txt [ /traffic.34556y5n.info ]C:\Documents and Settings\Sakura\Cookies\5HRGR38I.txt [ /ads.adoptimized.com ]C:\Documents and Settings\Sakura\Cookies\GNOOA2BR.txt [ /overture.com ]C:\Documents and Settings\Sakura\Cookies\G4QWF8K8.txt [ /realmedia.com ]C:\Documents and Settings\Sakura\Cookies\XVRR40UD.txt [ /ad.yieldmanager.com ]C:\Documents and Settings\Sakura\Cookies\XU74T9Q7.txt [ /ox-d.fondnessmedia.com ]C:\Documents and Settings\Sakura\Cookies\S7VJK2VE.txt [ /imrworldwide.com ]C:\Documents and Settings\Sakura\Cookies\BACYFPCB.txt [ /cdn.jemamedia.com ]C:\Documents and Settings\Sakura\Cookies\XM3D6PHA.txt [ /serving-sys.com ]C:\Documents and Settings\Sakura\Cookies\ZFGWGNKJ.txt [ /in.getclicky.com ]C:\Documents and Settings\Sakura\Cookies\M2LMCWIN.txt [ /advertising.ezanga.com ]C:\Documents and Settings\Sakura\Cookies\XJ3WZ1BZ.txt [ /atdmt.com ]C:\Documents and Settings\Sakura\Cookies\KORQAMSX.txt [ /ru4.com ]C:\Documents and Settings\Sakura\Cookies\8CCDF1IL.txt [ /mediaplex.com ]C:\Documents and Settings\Sakura\Cookies\0A67HHU5.txt [ /adserver.adtechus.com ]C:\Documents and Settings\Sakura\Cookies\8UI4TEO3.txt [ /dc.tremormedia.com ]C:\Documents and Settings\Sakura\Cookies\FSLLJG21.txt [ /stat.onestat.com ]C:\Documents and Settings\Sakura\Cookies\QLJ31XLX.txt [ /bs.serving-sys.com ]C:\Documents and Settings\Sakura\Cookies\L4Z7JHUE.txt [ /media6degrees.com ]C:\Documents and Settings\Sakura\Cookies\L3WGR5ON.txt [ /lucidmedia.com ]C:\Documents and Settings\Sakura\Cookies\V0KKZDZI.txt [ /apmebf.com ]C:\Documents and Settings\Sakura\Cookies\G2VSNSG6.txt [ /invitemedia.com ]C:\Documents and Settings\Sakura\Cookies\FG3RA9EK.txt [ /statse.webtrendslive.com ]ia.media-imdb.com [ C:\DOCUMENTS AND SETTINGS\SAKURA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ZWMDNNKT ]media.mtvnservices.com [ C:\DOCUMENTS AND SETTINGS\SAKURA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ZWMDNNKT ]objects.tremormedia.com [ C:\DOCUMENTS AND SETTINGS\SAKURA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ZWMDNNKT ]s0.2mdn.net [ C:\DOCUMENTS AND SETTINGS\SAKURA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ZWMDNNKT ]secure-us.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\SAKURA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ZWMDNNKT ]Trojan.Agent/Gen-SirefefC:\DOCUMENTS AND SETTINGS\SAKURA\LOCAL SETTINGS\APPLICATION DATA\{49081AA4-08D4-BFF3-6B2E-67656AEE082C}\U\80000032.@Trojan.Agent/Gen-Nullo[short]C:\SYSTEM VOLUME INFORMATION\_RESTORE{1FABC993-CAF4-4E0D-90EB-9C7372F68EF9}\RP730\A0102315.INI Link to post Share on other sites More sharing options...
Quolli Posted June 15, 2012 Author ID:560650 Share Posted June 15, 2012 I'm quite sure it's a registry error, but if someone could help me confirm that it's actually a registry error and not some nasty virus that would be great. Link to post Share on other sites More sharing options...
Maniac Posted June 15, 2012 ID:560710 Share Posted June 15, 2012 Hello Quolli and ! My name is Maniac and I will be glad to help you solve your malware problem.Please note:If you are a paying customer, you have the privilege to contact the help desk at support@malwarebytes.org or here (http://helpdesk.malwarebytes.org/home). If you choose this option to get help, please let me know.I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.Make sure you read all of the instructions and fixes thoroughly before continuing with them.Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.First of first, let's take care for your system, because is still infected.BACKDOOR WARNINGOne or more of the identified infections is known to use a backdoor.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:Help: I Got Hacked. Now What Do I Do?Help: I Got Hacked. Now What Do I Do? Part IIHow Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.Step 1Download the latest version of TDSSKiller from here and save it to your Desktop.Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.Click the Start Scan button.If a suspicious object is detected, the default action will be Skip, click on Continue.If malicious objects are found, they will show in the Scan results and offer three (3) options.Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.Step 2Download OTL to your DesktopDouble click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.Please tick the Scan All users. Next, click the Quick Scan button. The scan wont take long.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.In your next reply, post the following log files:TDSSKiller logOTL log with Extras.txt Link to post Share on other sites More sharing options...
LDTate Posted June 19, 2012 ID:561986 Share Posted June 19, 2012 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts