Jump to content

Recommended Posts

I got some kind of virus yesterday PM, it started with an official looking window scanning for virus's & when done said it found 30 threats. (and of course if I went to their website, for $79.95 they could fix the problem!) At the time, a couple of programs were running & continued to, with the exception of IE. It was automatically closed & when I tried to reopen it & to restore the tabs, every one it tried to open said it was infected & couldn't open except the ones with secure site.(eg. my bank). Since then, I have rebooted & now I can't open anything. When I try, a window opens & asks what program I would like to use to open it, & then every program says there are files missing. HELP PLEASE!!

Link to post
Share on other sites

Figured I'd give an update. Was going to run MW this morning off a memory stick from my laptop. It didn't find the stick when I plugged in, so I rebooted. Now it says "No Operating System". I can't even get to safe mode. I think I'm screwed! Right?

Link to post
Share on other sites

  • Staff

Hi,

Ouch. Do you have your Windows CD?

See if these can get you back to limping:

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.

If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

Let me know how it goes.

Link to post
Share on other sites

Thanks for your reply! I am totally baffled now. When I recieved your reply,I had already disconnected the computer entirely to take it & get it fixed since I thought it was toast. When I got your possible solution, thought I would give it another shot & reconnected it. It actually booted up & asked if I wanted to start Windows normally. Thought I should stay on the safe side, so I started it in safe mode with networking. OK, next?

Link to post
Share on other sites

Thought it wouldn't hurt to run MW, so here is the log.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6657

Windows 6.1.7600 (Safe Mode)

Internet Explorer 8.0.7600.16385

5/23/2011 1:33:47 PM

mbam-log-2011-05-23 (13-33-30).txt

Scan type: Quick scan

Objects scanned: 166356

Time elapsed: 3 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 4

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Backdoor.Cycbot.Gen) -> Value: conhost -> No action taken.

HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Value: Load -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> No action taken.

Registry Data Items Infected:

HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Users\Keith\AppData\Local\mbi.exe" -a "%1" %*) Good: ("%1" %*) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\Keith\AppData\Roaming\microsoft\conhost.exe (Backdoor.Cycbot.Gen) -> No action taken.

c:\Users\Keith\AppData\Local\Temp\0.4795656567467692.exe (Trojan.FakeAlert) -> No action taken.

c:\Users\Keith\local settings\wlp.exe (Trojan.FakeAlert) -> No action taken.

c:\Users\Keith\local settings\application data\wlp.exe (Trojan.FakeAlert) -> No action taken.

I appreciate all your help! Thanks!

Link to post
Share on other sites

  • Staff

Hi,

Yes that's fine.

I'm afraid I have bad news.

Your logs reveal a backdoor trojan. A backdoor severely compromises system integrity.

A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Let me know what you decide.

Link to post
Share on other sites

Thanks Chris, I disconnected from the internet the second I read your warning & have changed my bank password. Since I used a memory stick to run MW I downloaded to my laptop, is the stick likely to be infected as well?

Oh, and since I still have access to files can I remove any without risk of being infected? Or should I not take a chance & just format?

Link to post
Share on other sites

  • Staff

Hi,

Doubtful your USB drive is infected, and you should be fine backing up your data.

Here is my standard prevention speech for after you format and reinstall Windows:

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

Hi Chris, all your help is really appreciated! I just had one more question then I'll leave you alone. I didn't mention before, but the machine either has 2 hard drives or 1 with a partition. I had it built for me & don't remember which. But I do know the reason was to separate the OS from all my programs & saved data. Do I have to format everything, or just the OS area?

Thanks again!

Link to post
Share on other sites

Good news Chris, I'am answering this from the infected machine. I took your advice & formated the HD & reinstalled everything (well almost). Before connecting to the internet I installed Spyware Blaster & WOT like you recommended. I was running E-set Security before because it was recommended to me by an IT friend but I guess it didn't catch eveything. I still have to read Tony Klein's article.

I really appreciated all your help & will recommend this site to others.

Thanks again Chris - - - - YOUR'E THE MAN!!

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.