Jump to content

Infected with "a variant of Win32/Spy.Zbot.ZR Trojan" ESET NOD32 says unable to clean


Recommended Posts

Hi, I need some help cleaning my computer of a variant of Win32/Spy.Zbot.ZR Trojan. So far I have done a full scan with Malware Bytes and SUPER Anti Spyware but they have not picked it up. After rebooting my computer after a full scan, ESET showed a warning that there was a Trojan on my PC but it is "unable to clean". I have scanned using Malware Bytes on Safe Mode. SUPER Anti Spyware was scanned on Normal mode. I am currently scanning using ESET NOD32 on Normal mode. The current scan says "Number of infiltrations: 1" and lists the Zbot.ZR Trojan as "unable to clean"

Unfortunately the Trojan appears to have partially hijacked my browser (it redirects me to my Homepage [Google] if I attempt to go to the Malware Bytes forum). I am not sure how I am to get my antivirus logs onto the forum without a USB (I'm a bit paranoid it may decide to travel via USB and infect the current computer I am using).

Please help, thank you for your time.

Link to post
Share on other sites

DDS Log

.

DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK

Internet Explorer: 8.0.6001.18702

Run by Sakura at 21:14:08 on 2012-06-22

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2946 [GMT 10:00]

.

AV: ESET Smart Security 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: ESET Personal firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Soluto\SolutoService.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://google.com.au/

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\soluto\soluto.exe /userinit,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [Oryxaqr] "c:\documents and settings\sakura\application data\neaf\owni.exe"

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe

mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice

mRun: [iaptrf] rundll32.exe "c:\documents and settings\sakura\application data\iaptrf.dll",HrByteToStream

mRun: [arisr] "c:\windows\system32\rundll32.exe" "c:\documents and settings\sakura\application data\arisr.dll",FileHandleToInstanceNameA

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [RTHDCPL] RTHDCPL.EXE

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\sakura\startm~1\programs\startup\rainme~1.lnk - c:\program files\rainmeter\Rainmeter.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL

LSP: mswsock.dll

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: soe.com

Trusted Zone: sony.com

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/C/B/F/CBF23A2C-3E55-4664-BC5C-762780D79BA0/OGAControl.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1339847077390

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1276944085828

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {BAD4FE2C-503B-45CC-88CD-4B0574057D11} - hxxp://clients.futuremark.com/calico/systeminfodeploy/FMSI_v490.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{C38FFE6C-21E4-4CE1-83D7-21562F34FE98} : DhcpNameServer = 192.168.0.1

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

.

============= SERVICES / DRIVERS ===============

.

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-6-30 116608]

R2 SolutoService;Soluto PCGenome Core Service;c:\program files\soluto\SolutoService.exe [2012-4-24 584224]

S0 Soluto;Soluto;c:\windows\system32\drivers\Soluto.sys [2012-2-5 51144]

S1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-3-24 114984]

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-18 12880]

S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-11 67664]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 DAZContentManagementService;DAZ Content Management Service; [x]

S2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2010-3-24 810120]

S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [2011-9-3 66560]

S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-2-22 1262400]

S2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [2010-6-19 35840]

S3 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]

S3 cpuz135;cpuz135;\??\c:\windows\temp\cpuz135\cpuz135_x32.sys --> c:\windows\temp\cpuz135\cpuz135_x32.sys [?]

S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]

S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files\futuremark\futuremark systeminfo\FMSISvc.exe [2012-5-21 135584]

S3 qcusbser;Garmin-Asus USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbser.sys [2009-12-19 111464]

S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [2010-6-19 28416]

S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2010-6-19 17408]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2012-06-22 05:28:21 -------- d-----w- c:\documents and settings\all users\application data\B7E858890004734F000ABA83D151FC4E

2012-06-22 05:28:14 -------- d-----w- c:\documents and settings\sakura\application data\Tikiwu

2012-06-22 05:28:14 -------- d-----w- c:\documents and settings\sakura\application data\Sasiot

2012-06-22 05:28:14 -------- d-----w- c:\documents and settings\sakura\application data\Neaf

2012-06-16 12:19:19 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll

2012-06-16 12:18:30 629760 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2012-06-16 12:18:30 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2012-06-16 12:18:30 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2012-06-16 12:18:29 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2012-06-16 12:18:29 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2012-06-16 12:18:29 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll

2012-06-16 12:18:29 11111424 -c----w- c:\windows\system32\dllcache\ieframe.dll

2012-06-16 12:03:11 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2012-06-16 11:55:05 2192640 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2012-06-16 11:55:05 2148352 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2012-06-16 11:55:04 2026496 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2012-06-16 11:53:46 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2012-06-16 09:33:58 119808 -c--a-w- c:\windows\system32\dllcache\mtstocom.exe

2012-06-16 09:32:59 8192 -c--a-w- c:\windows\system32\dllcache\staxmem.dll

2012-06-16 09:31:07 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe

2012-06-16 09:31:07 16384 ----a-w- c:\program files\internet explorer\connection wizard\isignup.exe

2012-06-16 08:49:25 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll

2012-06-16 08:49:25 24661 ----a-w- c:\windows\system32\spxcoins.dll

2012-06-16 08:49:25 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll

2012-06-16 08:49:25 13312 ----a-w- c:\windows\system32\irclass.dll

2012-06-16 08:49:00 16535 ----a-r- c:\windows\SET142.tmp

2012-06-16 08:48:57 1088840 ----a-r- c:\windows\SET136.tmp

2012-06-16 08:48:56 1296669 ----a-r- c:\windows\SET133.tmp

2012-06-16 08:05:49 370688 ----a-w- c:\documents and settings\sakura\application data\arisr.dll

2012-06-16 00:33:34 444952 ----a-w- c:\windows\system32\wrap_oal.dll

2012-06-16 00:33:34 109080 ----a-w- c:\windows\system32\OpenAL32.dll

2012-06-16 00:33:34 -------- d-----w- c:\program files\OpenAL

2012-06-15 10:19:25 -------- d-sh--w- c:\documents and settings\sakura\IECompatCache

2012-06-15 08:30:50 -------- d-----w- c:\program files\WinASO

2012-06-14 02:59:09 132608 ----a-w- c:\documents and settings\sakura\application data\iaptrf.dll

2012-06-12 06:25:35 -------- d-----w- c:\program files\Long Live The Queen

2012-06-10 01:27:58 -------- d-----w- c:\program files\Winter Wolves

2012-06-10 01:27:47 -------- d-----w- c:\windows\system32\2055

2012-05-29 04:08:47 -------- d-----w- C:\Downloads

.

==================== Find3M ====================

.

2012-06-17 23:18:14 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-17 23:18:13 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-06-16 08:55:34 1074636 ----a-w- c:\windows\system32\nvdrsdb0.bin

2012-06-16 08:55:34 1 ----a-w- c:\windows\system32\nvdrssel.bin

2012-06-16 08:55:10 1074636 ----a-w- c:\windows\system32\nvdrsdb1.bin

2012-06-15 03:15:03 72748 ----a-w- c:\windows\unins000.exe

2012-06-02 05:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

2012-06-02 05:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

2012-06-02 05:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

2012-06-02 05:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

2012-06-02 05:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

2012-06-02 05:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll

2012-06-02 05:18:58 214256 ----a-w- c:\windows\system32\muweb.dll

2012-06-02 05:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui

2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll

2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll

2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys

2012-05-15 10:18:00 883008 ----a-w- c:\windows\system32\nvgenco32.dll

2012-05-15 10:18:00 65536 ----a-w- c:\windows\system32\OpenCL.dll

2012-05-15 10:18:00 6012928 ----a-w- c:\windows\system32\nvcuda.dll

2012-05-15 10:18:00 4373248 ----a-w- c:\windows\system32\nv4_disp.dll

2012-05-15 10:18:00 2530624 ----a-w- c:\windows\system32\nvcuvid.dll

2012-05-15 10:18:00 2445120 ----a-w- c:\windows\system32\nvcuvenc.dll

2012-05-15 10:18:00 2359808 ----a-w- c:\windows\system32\nvapi.dll

2012-05-15 10:18:00 18771968 ----a-w- c:\windows\system32\nvoglnt.dll

2012-05-15 10:18:00 17543168 ----a-w- c:\windows\system32\nvcompiler.dll

2012-05-15 10:18:00 14014656 ----a-w- c:\windows\system32\drivers\nv4_mini.sys

2012-05-15 10:18:00 1000768 ----a-w- c:\windows\system32\nvdispco32.dll

2012-05-15 09:40:26 54272 ----a-w- c:\windows\system32\nvwddi.dll

2012-05-15 09:40:02 15504192 ----a-w- c:\windows\system32\nvcpl.dll

2012-05-15 09:40:02 143680 ----a-w- c:\windows\system32\nvcolor.exe

2012-05-15 09:40:01 164160 ----a-w- c:\windows\system32\nvsvc32.exe

2012-05-15 09:40:01 108352 ----a-w- c:\windows\system32\nvmctray.dll

2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll

2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-05-11 11:38:02 385024 ------w- c:\windows\system32\html.iec

2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-04-24 07:13:24 51144 ----a-w- c:\windows\system32\drivers\Soluto.sys

2012-04-20 19:29:52 81920 ------w- c:\windows\system32\ieencode.dll

2012-04-04 05:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

.

============= FINISH: 21:15:07.14 ===============

Attatch Log

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 16/06/2012 7:34:36 PM

System Uptime: 22/06/2012 9:12:16 PM (0 hours ago)

.

Motherboard: Gigabyte Technology Co., Ltd. | | EP45-UD3

Processor: Intel Pentium III Xeon processor | Socket 775 | 2833/333mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 293 GiB total, 92.406 GiB free.

D: is Removable

E: is Removable

G: is Removable

H: is Removable

I: is FIXED (NTFS) - 639 GiB total, 529.801 GiB free.

J: is CDROM ()

K: is Removable

.

==== Disabled Device Manager Items =============

.

Class GUID: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA}

Description: HID Non-User Input Data Filter (KB 911895)

Device ID: HID\VID_045E&PID_00F9&MI_01&COL01\7&9A390B8&0&0000

Manufacturer: Microsoft

Name: HID Non-User Input Data Filter (KB 911895)

PNP Device ID: HID\VID_045E&PID_00F9&MI_01&COL01\7&9A390B8&0&0000

Service: NuidFltr

.

Class GUID: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA}

Description: HID Non-User Input Data Filter (KB 911895)

Device ID: HID\VID_045E&PID_00F9&MI_01&COL03\7&9A390B8&0&0002

Manufacturer: Microsoft

Name: HID Non-User Input Data Filter (KB 911895)

PNP Device ID: HID\VID_045E&PID_00F9&MI_01&COL03\7&9A390B8&0&0002

Service: NuidFltr

.

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: SM Bus Controller

Device ID: PCI\VEN_8086&DEV_3A30&SUBSYS_50011458&REV_00\3&13C0B0C5&0&FB

Manufacturer:

Name: SM Bus Controller

PNP Device ID: PCI\VEN_8086&DEV_3A30&SUBSYS_50011458&REV_00\3&13C0B0C5&0&FB

Service:

.

==== System Restore Points ===================

.

RP1: 16/06/2012 9:44:22 PM - System Checkpoint

RP2: 16/06/2012 10:05:49 PM - Software Distribution Service 3.0

RP3: 16/06/2012 10:30:00 PM - Software Distribution Service 3.0

RP4: 16/06/2012 10:34:24 PM - Software Distribution Service 3.0

RP5: 18/06/2012 12:28:54 PM - System Checkpoint

RP6: 19/06/2012 6:08:40 PM - System Checkpoint

RP7: 20/06/2012 7:24:28 PM - System Checkpoint

RP8: 22/06/2012 6:05:31 PM - System Checkpoint

.

==== Installed Programs ======================

.

"Nero SoundTrax Help

µTorrent

ƒ}ƒWƒJƒ‹ƒoƒgƒ‹ƒAƒŠ

Link to post
Share on other sites

Hello Quolli! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at support@malwarebytes.org or here (http://helpdesk.malwarebytes.org/home). If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Step 1

Please uninstall µTorrent, because of our rules:

http://forums.malwarebytes.org/index.php?showtopic=97700

Step 2

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 3

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

In your next reply, post the following log files:

  • Malwarebytes' Anti-Malware log
  • MBRCheck log
  • a new fresh DDS log file

Link to post
Share on other sites

Hello Maniac, thank you for the fast reply.

I should tell you that about a week ago I was also infected by several trojans which were able to cleaned successfully. I gave it the benefit of the doubt and thought that I was clean, nevertheless I created a topic for my suspicions but forgot all about it. You may find the logs in it useful. Here is the topic: http://forums.malwarebytes.org/index.php?showtopic=111140&st=0&p=560638entry560638

I have uninstalled uTorrent and disconnected my PC from the Internet like you have asked.

There are a few questions I would like to ask you before I move onto the next steps.

1. My HDD is partitioned (let's call them C:/ and A:/). The main drive (ie the one that is infected) is C:/. Will my I:/ be "untouched"?

2. This leads on from the previous question. If I decide to take the easy route out and do a fresh install on Windows, will I:/ need to be wiped? (I've got some important files on that drive, hence why they are stored in the partition).

3. If Yes is the answer to 1. I would like to proceed and do a fresh install of Windows. Will you be posting a guide on how I can most effectively (or correctly I should say) reinstall Windows?

Link to post
Share on other sites

No, it does not affect your personal information except that it is a backdoor and may already be available to a third party. I already send y ou great articles about that. Take a look at my first post again or for the first time:

http://forums.malwarebytes.org/index.php?showtopic=111508&view=findpost&p=563194

Link to post
Share on other sites

Thank you for your help, I have read them, but am still a bit unsure.

Could you possibly answer the HDD questions in simpler terms? I don't really understand what the content in the links are saying.

In regards to the Format link you have sent me, I was hoping for a step by step guide that details what I should do right from the beginning (ie, what options to select from the disk etc)

If I do decide to continue with the cleaning, would it be safe to use a USB to transfer the relevant scanning programs?

Link to post
Share on other sites

Could you possibly answer the HDD questions in simpler terms?

If you read again what I have given you as information:

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

This means that the data your system may already be available to someone else ie your personal data (photos, passwords and other sensitive information) may already be available to any cyber criminal. In your entire system has an open door for cyber criminals. When reinstalling, you can leave the data of drive I:\ .

In regards to the Format link you have sent me, I was hoping for a step by step guide that details what I should do right from the beginning (ie, what options to select from the disk etc)

Take a look here:

http://windows.microsoft.com/en-us/windows/help/install-reinstall-uninstall

If I do decide to continue with the cleaning, would it be safe to use a USB to transfer the relevant scanning programs?

Yes, it is not a bad idea, but should take care for the USB first.

Link to post
Share on other sites

Thank you very much for your help. I have decided to take the reinstall Windows route of my PC. You have been incredibly helpful and patient.

I am a bit paranoid about the current computer that I have been using as my computers are connected via an Internet router. Do you have any recommendations of what I should do? This computer uses Kaspersky Internet Security Trial as well as Malware Bytes and SUPER Anti Spyware. Would I need to open up a new topic for this, or would it be better to continue with the same topic?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.