Jump to content

Backdoor.Generic14.abvq Infection


hpigeon
 Share

Recommended Posts

Hi, my PC seems as though it has been infected by both the Win32/Katusha.A virus as well as the backdoor.generic14.avbq trojan horse. I have AVG 2011 paid edition as well as Malwarebytes installed in my PC and neither seem to be able to remove the infection. I also tried to online virus removal tool from ESET, which said it was successful, but it seems not so. The infections keep hindering my attempts to scan, download, or even load Malwarebytes; however, I was able to reboot the PC in Safe Mode with Networking. I had kept my Malwarebytes installation file installed on my PC, so I was able to reinstall it, update it and scan. It did find the infections and quarantined them. I tried deleting them, and was unsuccessful. I then restarted the PC in normal mode and repaired AVG and scanned again and the problems have continued. They seem to be associated with or activated with desktop.ini as well as Firefox. I don't know how much information I may be able to gather and post due to the resistance I keep experiencing on my PC (I'm posting here from another one) but any suggestions you have would be extremely appreciated.

Link to post
Share on other sites

The DDS log is as follows:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 7.0.5730.13

Run by Heidi at 23:47:04 on 2011-10-11

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2943.1999 [GMT -4:00]

.

AV: AVG Internet Security 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: AVG Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\2906713060:454344530.exe

svchost.exe

C:\Program Files\AVG\AVG10\avgwdsvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\Program Files\AVG\AVG10\avgam.exe

C:\Program Files\AVG\AVG10\avgnsx.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\Program Files\SelectRebates\SelectRebates.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\USB\USBPhoneRecorderV3.0\USBRecorder.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE

C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE

C:\Program Files\AVG\AVG10\avgemcx.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\AVG\AVG10\avgcsrvx.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\VERTAB~1\VERTAB~1.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = https://portal.arise.com/Login.aspx

uInternet Connection Wizard,ShellNext = iexplore

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\all users\application data\konasys32\gska\obesy.exe,

uWinlogon: Shell=c:\documents and settings\heidi\local settings\application data\e4eb40ad\X

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [YMailAdvisor] "c:\program files\yahoo!\common\YMailAdvisor.exe"

mRun: [iJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE

mRun: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [u.S. Robotics Wireless Manager UI] c:\windows\system32\WLTRAY

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

mRun: [selectRebates] c:\program files\selectrebates\SelectRebates.exe

mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"

mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [usbFiho] "c:\program files\usb\usbphonerecorderv3.0\USBRecorder.exe"

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

StartupFolder: c:\docume~1\heidi\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1271896429281

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {A7A61125-0EAA-11D1-B22F-0000C08C00C4} - hxxp://sbr.staples.com/Div$/ocx/ssdw3b32.ocx

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://ns.arise.com/dana-cached/sc/JuniperSetupClient.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TCP: DhcpNameServer = 24.178.162.3 97.81.22.195 24.159.64.23

TCP: Interfaces\{306F4201-71D0-462D-BF4B-FB059E923367} : DhcpNameServer = 24.178.162.3 97.81.22.195 24.159.64.23

TCP: Interfaces\{69B0B921-A722-4404-9D8B-E1C408A7D32B} : DhcpNameServer = 24.178.162.3 97.81.22.195 24.159.64.23

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\heidi\application data\mozilla\firefox\profiles\1dcem76n.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk|http://us.mg201.mail.yahoo.com/dc/launch?.gx=1&.rand=4c24768tflp0i|http://www.weightwatchers.com/plan/index.aspx

FF - component: c:\documents and settings\heidi\application data\mozilla\firefox\profiles\1dcem76n.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll

FF - plugin: c:\documents and settings\heidi\application data\mozilla\firefox\profiles\1dcem76n.default\extensions\2020player@2020technologies.com\plugins\NP2020Player.dll

FF - plugin: c:\documents and settings\heidi\application data\mozilla\firefox\profiles\1dcem76n.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll

FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]

R0 ssfs0bbd;ssfs0bbd;c:\windows\system32\drivers\ssfs0bbd.sys [2009-12-17 28936]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-8-18 7390560]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-3-23 47640]

R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2010-10-9 57248]

S2 avgfws;AVG Firewall;"c:\program files\avg\avg10\avgfws.exe" --> c:\program files\avg\avg10\avgfws.exe [?]

S2 FreeAgentGoNext Service;Seagate Service;"c:\program files\seagate\seagatemanager\sync\freeagentservice.exe" --> c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-14 136176]

S2 LMIGuardianSvc;LMIGuardianSvc;"c:\program files\logmein\x86\lmiguardiansvc.exe" --> c:\program files\logmein\x86\LMIGuardianSvc.exe [?]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-14 136176]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-6-27 30560]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

.

=============== Created Last 30 ================

.

2011-10-12 03:03:08 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-11 20:40:43 -------- d-----w- c:\program files\ESET

2011-10-08 03:58:20 -------- d-----w- C:\82cb147fccc52f325160c3

2011-10-08 02:08:14 -------- d-sh--w- c:\documents and settings\heidi\local settings\application data\e4eb40ad

2011-09-27 20:59:55 134 ------w- c:\documents and settings\heidi\neoteris_write_32681756.reg

2011-09-19 19:02:40 134 ------w- c:\documents and settings\heidi\neoteris_write_6559246.reg

2011-09-15 03:02:50 134 ------w- c:\documents and settings\heidi\neoteris_write_17589254.reg

2011-09-14 17:47:36 -------- d-----w- c:\windows\system32\ms-MY

2011-09-14 17:47:36 -------- d-----w- c:\windows\system32\hu-HU

2011-09-14 17:47:36 -------- d-----w- c:\windows\system32\cs-CZ

2011-09-14 17:47:35 -------- d-----w- c:\windows\system32\zh-CN

2011-09-14 17:47:35 -------- d-----w- c:\windows\system32\ru-RU

2011-09-14 17:47:35 -------- d-----w- c:\windows\system32\pl-PL

2011-09-14 17:47:35 -------- d-----w- c:\windows\system32\ja-JP

2011-09-14 17:34:41 134 ------w- c:\documents and settings\heidi\neoteris_write_23632030.reg

2011-09-14 00:23:35 134 ------w- c:\documents and settings\heidi\neoteris_write_29732654.reg

.

==================== Find3M ====================

.

2011-10-08 16:16:12 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-06 12:56:55 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.001.bak

2011-10-06 12:56:55 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2011-10-06 12:56:54 87424 ----a-w- c:\windows\system32\LMIinit.dll

2011-10-06 12:56:54 52096 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll

2011-10-06 12:56:54 30592 ----a-w- c:\windows\system32\LMIport.dll

2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-05 18:35:17 134 ------w- c:\documents and settings\heidi\neoteris_write_4102093.reg

2011-08-21 00:18:06 134 ------w- c:\documents and settings\heidi\neoteris_write_50512.reg

2011-08-18 13:02:46 134 ------w- c:\documents and settings\heidi\neoteris_write_2159683.reg

2011-08-12 19:22:57 134 ------w- c:\documents and settings\heidi\neoteris_write_28117049.reg

2011-08-05 16:20:18 332800 ----a-w- c:\windows\system32\ZuneCoInst.dll

2011-07-30 14:02:31 134 ------w- c:\documents and settings\heidi\neoteris_write_17912146.reg

2011-07-29 00:54:24 947472 ----a-w- c:\windows\system32\msjava.dll

2011-07-16 12:34:49 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak

2011-07-16 12:34:49 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

.

============= FINISH: 23:47:14.92 ===============

The Malwarebytes' would not run or launch. I rebooted in Safe Mode with Networking and was able to reinstall and update the Anti-Malware program; however, when trying to launch it I encountered the same error. Again I rebooted in Safe Mode with Networking, reinstalled Malwarebytes and updated it. I then rebooted again in Safe Mode without Networking and was able to run the program. I just tried to grab the log and it won't open again. I will try again to reboot into safe mode and copy the log to post.

The GMER Rootkit Scanner also would not function. The scan would begin and the program would shut down within the first seconds of being ran. I also tried running that program in Safe Mode and Safe Mode with Networking; however, the option to Scan was removed from the application while the PC was loaded in those modes.

attach.txt

Link to post
Share on other sites

MBAM Log:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7926

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 7.0.5730.13

10/11/2011 11:35:32 PM

mbam-log-2011-10-11 (23-35-15).txt

Scan type: Quick scan

Objects scanned: 201024

Time elapsed: 8 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\e4eb40ad (Backdoor.0Access) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\2906713060:454344530.exe (Backdoor.0Access) -> No action taken.

Link to post
Share on other sites

I also ran the TDSSKiller rootkit removal tool which also found two infections and indicated it has successfully "cured" the infection; however, the problems continued after reboot. Earlier today AVG identified a new infection which keeps recurring. The newest threat name is TR/Crypt.XPACK.Gen

At this point I'm wondering if the best bet would be to reinstall the operating system; however, I don't know what is infected that may transfer upon backup and be reinstalled in OS again.

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

I'm afraid I have bad news.

Your logs reveal a backdoor trojan. A backdoor severely compromises system integrity.

A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Let me know what you decide.

Link to post
Share on other sites

Hi Chris,

I actually did reinstall the OS last night. However, first I did sync my files with SugarSync's online backup storage. These were not application files, only data. I did also upload my Outlook and Quicken data files. I have since reloaded everything in my PC, including those files and everything is scanning and behaving well so far. Do you have any concerns or suggestions on that action which I should be aware of?

Additionally, other than waiting for something to popup again in the AV scanner, is there any way to determine from the logs where this infection may spread to or what types of files it compromises. Specifically, is there a pro-active way to check the other desktop which uses the same router, but is not connected via a home network, for an infection, other than waiting for it to reappear? I really don't want to have gone to all this work to have it begin spreading again. Also, could it compromise any type of hard drive receiving service from the router, such as my Windows phone or a Wii? Or a better question I guess, would be what is the likelihood of this happening?

Is there anyway to determine how I became infected in the first place? I have AVG Internet Security 2011 (paid edition). I was not happy to find the infections were able to get through. Any suggestion on ensuring this does not happen again?

Thanks a lot Chris for any info you can provide for me.

Link to post
Share on other sites

  • Staff

Hi,

It's difficult to tell a lot of that at this point. I can tell you that it's incredibly unlikely to have spread through your router.

Backdoor trojans are not really the same as file infectors. Sometimes one includes the other but it's not mandatory. Backdoor trojans don't generally infect the actual files on their own; however, the network activity they can activate is what is problematic (I suggest reading about botnets if you get the chance). That's why I said in this case it would be safe to backup your photos, documents, etc., because they are very likely to be safe to backup.

I am of the opinion that security software with recurring billings to you are not necessary. I use Microsoft Security Essentials (free), and the PRO version of MBAM (one time purchase of $25 for lifetime protection), and I've never had an issue. With those, it's likely that this issue would have been prevented in the first place.

Here is my standard prevention speech:

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Hope I answered your questions and do not hesitate to ask if you have any further questions.

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.