Jump to content

MBAM Pro User-Infected with 'Malaware.Trace', 'Trojan.VBS', 'Trojan.MSIL', 'vbc.exe'


samsat

Recommended Posts

Hi,

I was infected with the above malwares. I was upto a point towards completion.

With the database corruption, my post and its details are gone.

'Jeffce' was helping me with this resolution. I don't know, whether with the new thread 'Jeffce' is supposed to look at it or anyone else needs to take over.

Thanks and appreciate your time.

Best

Sam

Link to post
Share on other sites

Hi,

Sorry for any inconvenience.

If you don't mind, if I recall correctly we had already ran Malwarebytes and ESET online scanner. Is that correct?

Please run a new scan with DDS and post the logs and we can pick this back up. :)

Link to post
Share on other sites

Hi Jeffce,

Please find the outputs of the DDS attached herewith. I hope am using the latest DDS scanner.

Couple of Queries:

  1. How do I ensure that there are no more infections left?
  2. How do I uninstall DDS and aswMBR?
  3. Should I also remove the system checkpoint created after the malware infection on 28th-Oct night? 29th onwards couple of system restores were done by vista while using aswMBR, Combofix etc.

I used 'tcpview' by sysinternals to monitor my net connections. It seems svcshost.exe is connecting to many a places including china. I was reading online while searching for 1 of the ip addresses and somebody has advised kaspersky uses online servers for their protection mechanism so that might be the process which connects to various IPs around the world. I don't know whether that is the case or Kaspersky itself got infected :).

Please do let me know in case of any queries.

Thanks and appreciate your inputs on this.

best

Sam

[For your reference our activities timeline in brief: My system got infected on 28-oct-12 with the malware. The payload i received via file transfer on im communication. Scanning the payload 'image.exe' file by kaspersky AV and MBAM Pro did not reveal any susipicions and I clicked on it. I was in 'admin' mode while this happenned.

29-Oct-12 - I created a thread here and you had picked it up. I uploaded my DDS outputs in the first post. Then you instructed me to run aswMBR and post the outputs. After that I ran ComboFix as suggested. After 'ComboFix' the system hogging processes were cleared.

Then I pointed out that my admin user have a alias created for it called 'Test' which is not removed. For which you recommended Eset scanner. Eset did not pick up anything. Since then as per our discussion I have uninstalled ComboFix. And then MBAM forum got corrupted.]

dds.txt

attach.txt

Link to post
Share on other sites

I am not quite sure if we ran this or not, but the DDS log looks fine. We will deal with the Restore Points later.... Since ESET and Malwarebytes came up clean and this topic got turned on its head please do the following....

Please download TDSSKiller

  • Double click TDSSKiller.exe
  • Press Start Scan but do nothing else as we are just looking for what is there.
  • If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
  • Attach the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

----------

Post the TDSSKiller log and let me know how your system is running. :)

Link to post
Share on other sites

The system is running fine after the clean up.

Scanners are running clean.

Great!

--------

So now how do I ensure that there are no rootkits left? What's the sureshot way? A format?
Well a format would be the only way to be 100% sure, but I am not seeing anything else in the logs that you are producing for me to worry about. :)

------------

Providing there are no other malware related problems...

IT APPEARS THAT YOUR LOGS ARE NOW CLEAN :D SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!! :D

This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.

----------

The following will implement some cleanup procedures as well as reset System Restore points:

Press the Windows key + R and this will open the Run box. Copy/paste the following text into the Run box as shown and click OK.

Combofix /Uninstall

(Note: There is a space between the ..X and the /U that needs to be there.)

CF.jpg

----------

Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.

If you didn't already have it I would keep Malwarebytes AntiMalware though.

Here are some tips to reduce the potential for spyware infection in the future:

1. Internet Explorer. Even if you don't use it as your main browser it should be kept up-to-date because that is the browser Windows uses for updates.

Make your Internet Explorer more secure - This can be done by following these simple instructions:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

2. FireFox. If you use Firefox, I recommend installing the following add-ons to help make your Firefox browser more secure:

NoScript

AdBlock Plus

3. Enable Protected Mode in Internet Explorer. This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:

  • Open Internet Explorer
  • Click on Tools > Internet Options
  • Press Security tab
  • Select Internet zone then place check next to Enable Protected Mode if not already done
  • Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
  • Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.

4. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

5. Firewall

Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. I would personally only recommend using one of the following two below:

Online Armor Free

Agnitum Outpost Firewall Free

6. Make sure you keep your Windows OS current. Windows XP users can visit Windows update regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.

7. WOT (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

8.Finally, I strongly recommend that you read How to Prevent Malware found here and also PC Safety and Security - What Do I Need?.

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Link to post
Share on other sites

Hi Jeff,

Last thing. I found couple of logs of 'TDSKiller' herewith in my C: drive. I ran it just now with the option to scan for the loaded modules. Last time i had not checked that. 'TDSKiller' found some files. But suggested no cures for them. Please do let me know what you think.

If everything is clear, please let me know the following before we close:

  1. How do I uninstall 'dds.scr'? Should I just delete it?
  2. Should I delete the system restore points created after the date of infection?
  3. What about the user 'test'? Do you think it is fine just to leave it? It seems my admin user name got changed to 'Test'. I can not find even where is this change done in Vista. Vista shows my username as I had defined it earlier and not as 'Test'.

Anyways, please do let me know.

Thanks for all the help again.

Best

Sam

TDSSKiller.2.8.15.0_03.11.2012_11.31.23_log.txt

TDSSKiller.2.8.15.0_03.11.2012_11.38.24_log.txt

Link to post
Share on other sites

In addition to the above post, I found 2 folders, 'backup' and 'boot' in my c drive. 'boot' has multiple folders for various languages. Were these created by any of the tools we used. I saw the timestamp for these as last year. just thought to check with you.

Thanks

Sam

Link to post
Share on other sites

Last thing. I found couple of logs of 'TDSKiller' herewith in my C: drive. I ran it just now with the option to scan for the loaded modules. Last time i had not checked that. 'TDSKiller' found some files. But suggested no cures for them. Please do let me know what you think.
Don't do anything with what TDSSKiller found on the run that you did. We saw what we needed. :) Go ahead and just delete TDSSKiller and all of the folders associated with it.

---------

  1. How do I uninstall 'dds.scr'? Should I just delete it?
  2. Should I delete the system restore points created after the date of infection?
  3. What about the user 'test'? Do you think it is fine just to leave it? It seems my admin user name got changed to 'Test'. I can not find even where is this change done in Vista. Vista shows my username as I had defined it earlier and not as 'Test'.

1. Just drag it to the Recycle Bin

2. Your Restore Points will be fixed up when you uninstall ComboFix

3. I don't think this is a problem but you may want to post a new topic in the PC Help forum. If you do do that please be sure to put a link to this topic there so that the techs can see just what we have done.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.