Jump to content

Password Field Infection


Recommended Posts

This may sound funny, but I believe my computer may have picked up some malware or virus. Make a long story short, I let my mom use my computer one night when I was gone to look up something she wanted to buy. When I got home she must of clicked every link on the 1st page of google thinking that all links are for shops and stuff in our area.

 

Anyway I shut the computer down, went to bed. Next day I turned it on to do some programming and couldn't log on. after typing my password about 5 times, it let me in. I checked my keyboard, it's working 100%. Thinking that was weird, I went to close my VNC sever viewer. In-order for this program to close, you must type a password. I type my password which is not the same as my computer one. Same issue, kept telling me it the wrong password till about the 5th try. Just to confirm this issue. I went to a website that I have to log into in order to view stats for my game servers I run. Same issue. 

 

What ever I picked up seems to react to any password field.

 

My next course of actions. I ran my AVG 2013 (Paid) version. It found nothing.

I then download Advast and ran that and it hit an exploit for Java but never fixed the issue.

I then ran McFee, it got another Java exploit but again no luck for the issue

I then ran Kaspersky and it found nothing.

And then I ran Malwarebytes and it found a Trojan.Siredef.C and Trojan.Zaccess virus.

 

So being the type of person I am, I went into safe mode and I went to the only file for this virus as the rest was folders and registry data. And I grab this file out of the hidden recycle bin folder it was in and ran it against jotti and virustotal mass scanners to see what comes back. Only 3 virus programs picked up on the file and called it out as a Trojan.Siredef or Trojan.Zaccess.

 

So I packaged it up in a password protected zip file and sent it to AVG to add protection from it (Not the 1st time I had to do AVG job, but last time they had an update for me in an hour and their program did clean it up). AVG got back to me 2 days later and told me that the file was clean and that I am mistaken, even tho I gave them the links showing other anti-virus programs picked up on it.

 

I cleaned the virus with Malwarebytes and the password issue does not seem to be here anymore. I emailed AVG back and told them they're wrong as Malwarebytes just cleaned that file and the issue is now gone. AVG wrote me back saying the file is clean. The file is not an executable file and can't be the source of the virus. 

 

Now maybe they are right, maybe they are wrong. But I notice today that my computer has 3 rundll32.exe running. And I don't know why.

 

So maybe you can help me find out why they are running. I added the dds.txt, attach.txt, and I even added a pic of the virus that malwarebytes picked up on and cleaned.

 

PS: Because Malwarebytes picked up on this, I bought it :)

 

dds.txt attach.txt post-148168-0-17986800-1384299532_thumb.

Link to post
Share on other sites

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Next,

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Kevin

Link to post
Share on other sites

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

 

 

 

Next,

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

 

  •  

     

  • Double-click to run it. When the tool opens click Yes to disclaimer.

     

     

  • Press Scan button.

     

     

  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.

     

     

  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

     

     

 

 

Kevin

 

Sorry about that, I forgot I still had uTorrent. I needed it one day as a text book I have has the files needed for the exercises downloadable in a Torrent format. I did however have it setup to not run, but now it should be 100% removed from my computer as I just uninstalled it.

 

FRST.txt Addition.txt

Link to post
Share on other sites

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.


The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

Run Malwarebytes,  Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware,

Make sure that everything is checked, and click Remove Selected on any found items.

 

Post the produced log...

 

Next,

 

We need to run an online AV scan to ensure there are no remnants of any infection left on your system, this scan can take several hours to complete, it is very thorough and well worth running, please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

 

When the scan is complete

 

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

 

If threats were found

 

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

 

close program

 

copy and paste the report here

 

Next,

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Let me see those logs, also give an update on any current issues or concerns...

 

Kevin

fixlist.txt

Link to post
Share on other sites

Step 1:

 

Fixlog.txt

 

Step 2:

 

mbam-log-2013-11-13 (18-34-06).txt

 

Step 3:

 

ESET SCAN.txt

 

Step 4:

 

checkup.txt

 

Some of the infections found EG Game Hacks in the ESET scan are false, they look like it to AV programs because they are game trainers that edit the memory access values in games to give things like Inf health.

Link to post
Share on other sites

ESET log shows nothing malicious, up to you if you want to keep/delete those entries..

 

Next,

 

Adobe Reader is outdated...

Visit http://get.adobe.com/uk/reader/otherversions/ and download the latest version of Acrobat Reader

 

Step 1 - Select your Operating System.

Step 2 - Select your Langauge.

Step 3 - Select latest version.

 

Untick the option for any security scanner or toolbar if offered.

 

Download and install.

 

Having the latest updates ensures there are no security vulnerabilities in your system.

 

Next,

 

Your Java javaicon.gif is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version of Java components and upgrade the application.

 

Upgrading Java:

 

Go to http://java.com/en/ and click on "Do I have Java"

It will check your current version and then offer to update to the latest version

Watch for and make sure you untick the box next to whatever free program they prompt you to install during the installation, unless you want it.

 

***Note: Check in Programs and Features (or Add/Remove Programs if you are an XP user) to make certain there are no old versions of Java still installed, if so - remove them.

 

Next,

 

The HD will require defragging soon, instructions here: http://windows.microsoft.com/en-gb/windows7/improve-performance-by-defragmenting-your-hard-disk if required..

 

Let me know if the updates complete ok, also if any remaining issues or concerns....

 

Kevin

Link to post
Share on other sites

Ok I have done everything you asked but the defrag as the drive is an SSD and doesn't need it.

 

So is it safe to say that this infection I had that started out as not allowing me to enter the right password into any password protected field is gone now ?

 

I can't help but think that the only purpose of such a virus is to log the password they enter and force them to have too reset passwords and log any information needed for changing a user password such as DOB, Names, and other security information.

 

I'd like to think I am safe now so I can order a Christmas gift for my girl without wondering if a virus is on my computer reporting back to some scum bag my card numbers and account info. This is why I use VPN's and ID security programs, but a VPN can't stop a key logger virus / infection if it on your computer.

Link to post
Share on other sites

That is not unusual have multiple entries for Rundll32.exe, have a read here:

 

http://www.howtogeek.com/howto/windows-vista/what-is-rundll32exe-and-why-is-it-running/

 

That link is for Vista, I believe is the same for W7...

 

Any other issues or concerns?

 

No as long as you believe I am good to go, then I will trust that all is good. I must go order a Christmas gift now, been afraid to do so using this computer thinking I am going to get my card number took by some key logger.

 

by the way, thanks Kevin for all your help. I can't give much but I hope you will appreciate my 2 GBP that I sent you for all your help.

Link to post
Share on other sites

We need to remove FRST, first it is very important to deal with its Quarantine folder using FRST itself..

OK, we continue:

Delete any fixlist.txt file previously used, continue:

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). That will confirm the removal action, delete if successful. 

 

Next,

 

Delete FRST.exe from your Desktop or the folder it was saved to, navigate to and delete its folder C:\FRST

 

Next,

 

 


  •  

     


  • Download OTC by OldTimer from here http://oldtimer.geekstogo.com/OTC.exe or here http://www.itxassociates.com/OT-Tools/OTC.exe and save to your Desktop.

     

     


  • Double click OTC_Icon.jpg icon to start the program.

     

    If you are using Vista or Windows 7 accept UAC

     


  • Then Click the big CleanUp.jpg button.

     

     


  • You will get a prompt saying "Begining Cleanup Process". Please select Yes.

     

     


  • Restart your computer when prompted.

     

     


  • This will remove tools we have used and itself.

     

     



 

 

Any tools/logs remaining on the Desktop or downloads folder can be deleted.

 

Next,

 

Read the following link to fully understand PC security and best practices, you may find it useful....

 

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

 

 

Thank you for the kind donation,

 

Kevin

fixlist.txt

Link to post
Share on other sites

Thanks Kevin for all the help again.

 

Won't need to read the info on security and best practices tho as I know the does and don'ts for not getting infected or having data read. I always keep the AVG up to date and I always use an encrypted VPN. Only reason I got this infection this time was because I left my computer in the hands of my Mother who is older and not to up to date on computers.

 

Solution, she can use my laptop next time because I couldn't care if I had to format that thing.

 

But I did come out of this issue on an upside. I got a new program to help me stay protected for less then $30, I learned some new programs and tricks to deal with suspected infections, and I found a with a great community who are friendly, knowledgeable, and very willing to help. So once again thank you Kevin and everyone else here at Malwarebytes :D    

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.