I have a bad case of MALWARE! Please help me!

Discussion in 'malware problems & news' started by Koroush47, May 20, 2009.

Thread Status:
Not open for further replies.
  1. Koroush47

    Koroush47 Registered Member

    Joined:
    May 20, 2009
    Posts:
    2
    Hello, My brother was snooping around on a hackfoum and he downloaded some "facebook account stealer" Obviously a fake..

    When he opens it next thing that happens was the file disappeared and the computer started acting strangely after a while.

    So he shut it down and ran to me.

    I tried everything i knew... I ran a full scan of NOD32 did malwarebytes antimalware... also spybot search and destroy... a few tracking cookies and other useless crap was found.

    Next thing i know when i turn on my computer today was this:

    http://img42.imageshack.us/img42/2438/11392554.jpg
    This?

    Is something wrong?

    edit: The buttons are missing on the box for some reason..

    It said Allow change, and Deny change.

    I denyed it but it kept on comming back up. So then i just did "remember this setting" and did deny.

    I'm pretty sure this is some kind of trojan that the person who made "facebook account hacker" put into my computer and changed the name and icon.

    Can you guys please please please help me?

    I have work i need to do, i need to order hardwood flooring for my boss and i cannot do it without getting rid of all the malware in the computer. Plus i don't want to know that some creep is watching me work on my stuff...


    Please help me, i will be very grateful.
     
  2. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,976
    Location:
    U.S.A.
    Koroush47, first, welcome to Wilders! Try running Dr. Web CureIt! and if for some reason, whatever you have inside the PC does not allow you to download it from the site, you'll need someone else's CLEAN computer to download the program & burn it to a CD so you can run it on your PC. Keep us posted.
     
  3. Koroush47

    Koroush47 Registered Member

    Joined:
    May 20, 2009
    Posts:
    2
    Thank you I am downloading it now.

    I will Update with results :)

    It said no virus found.

    That was a quick scan.

    PS: My uncle came over with some CD... it said combofix on it and he ran that...

    Not sure if the computer is fixed yet.. How can i be sure? Thanks.
     
    Last edited: May 20, 2009
  4. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,976
    Location:
    U.S.A.
  5. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    download and run Prevx, if still infected, you will know.
     
  6. stefan_waelti

    stefan_waelti Registered Member

    Joined:
    May 8, 2009
    Posts:
    29
    I suggest you use another, safe computer and download Windows Malicious Software Removal Tool and run it on the infected computer.

    If this doesn't help, then on a safe computer again, download Avira Rescue CD. Burn the .iso onto a cd.

    Put the cd into the infected computer's drive, restart it and boot on the cd.
    Configure the scanner to detect AND rename any suspicious file. When the scan is finished, remove the cd and reboot the infected computer. If it's back to normal running, then search for all .xxx files, and erase them.

    By the way, if that file managed to infect the computer, then it's fair to suppose it was not properly protected in the first place. I suggest you change your AV which obviously did not do a good job at preventing the infection. Also try to run on your computer as simple user instead of as admin.
     

    Attached Files:

    Last edited: May 20, 2009
  7. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    The important thing about combofix is the log it generates. That can be used to diagnose you're isssues by a trained malware person at one of the sites JRViejo linked to.
    You probably shouldn't be running it if you don't know what is what.

    One thing combofix does is list files created in the last 30 days enabling you to narrow down the infection.

    Try taking the url of the downloaded prog and let Anubis scan the link.

    The most important thing is to get the issue fixed, it could be downloading more malware that is a greater danger.

    I'm surprised JR didn't recomend the standard 3. MBAM, SAS and Cure It.
     
  8. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,976
    Location:
    U.S.A.
    LOL You have been reading some of my posts. ;)

    Once I read Koroush47's remark "I ran a full scan of NOD32 did malwarebytes antimalware... also spybot search and destroy... a few tracking cookies and other useless crap was found." I figured just go with Dr. Web and see what turns up.

    However, after the statement "My uncle came over with some CD... it said combofix on it and he ran that..." an HJT log, plus running it by any of the malware removal sites quoted in that Wilders thread, it's the way to go IMHO. After the visit to that hack forum, there could more nasty stuff as you stated.
     
  9. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Bad advice.:mad:

    Explanation BleepingComputer:

    "Online HijackThis analyzers DO NOT always identify all the malware or all the files properly. They sometimes list legitimate files as bad and bad files as legitimate."

    So, unless the user have very advanced computer knowledge, stay far away from these online HJT analyzers. Normally, only experts and trained analyzers are able to interpret HJT log entries in the correct way.

    <S>
     
  10. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    I'm sure Koroush would've returned with questions should the results have been questionable, and the possible backdrop to JR's consistently sound advice. Choosing to omit the second half of his input was choosing not to extend him the benefit of doubt. It's wise for any individual to check poster history before proceeding with advice.
     
    Last edited: May 25, 2009
  11. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    How can you be sure that Koroush will interpret the results in a correct way? To me, according to his post the opposite will be valid.:rolleyes:

    <S>
     
  12. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Face it, results good or bad would've been reason enough to return. Lest we forget, he's got work he needs to get done!
     
  13. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,976
    Location:
    U.S.A.
    Smokey, I normally don't do what I'm about to do, but perhaps an insight into my thinking in answering Koroush47, could shed some light in the advice given by me:

    1. Although it is Koroush47's first Wilders post, he/she states using NOD32, MBAM, SpybotS&D so that shows me some familiarity with security software, yet unable to know his/her level of expertise.

    2. Koroush47"s statement "I have work i need to do, i need to order hardwood flooring for my boss and i cannot do it without getting rid of all the malware in the computer. Plus i don't want to know that some creep is watching me work on my stuff..." compels me to help him/her thus I'm the first member to respond.

    3. Having successfully used Dr.Web Cureit! in the past to cure many PC ills, I suggest that avenue. The results comes back clean.

    4. Once the mention of combofix gets into the picture, that raises the level of the post and the hairs in the back of my neck. Yet the statement "Not sure if the computer is fixed yet.. How can i be sure?" somewhat tells me that the PC is now functioning but the poster is unsure, so I offer HJT and HijackThis.de Security as a quick reference point, but I do add the advice to run the HJT log by any of the sites "If you do find something."

    5. trjam suggests Prevx. stefan_waelti suggests Windows MSRT and the Avira Rescue CD. Searching adds that the combofix log should be run by one of the sites in the Wilders link mentioned by me. And all these answers are given within 24 hours of the original post. Koroush47 never comes back and reports what happened. So either the PC is running fine and he/she got the work done or the PC is so bad that it can not connect to Wilders.

    Contrary to your opinion, I don't think my advice was bad, especially since I directed the poster to other "experts and trained analyzers" should something be found. As far as I know (and I'm willing to accept evidence to the contrary, should you offer it), HijackThis.de Security is not a rogue organization and they also provide an HJT forum for those seeking help.

    PS. GF, I do appreciate your input and support, however, I could not let this thread die without making a final comment of my own. Thanks.
     
  14. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
  15. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,976
    Location:
    U.S.A.
    GF, thanks for that link :thumb: Knowing that Tony Klein is involved, it has been bookmarked! Take care.
     
  16. eXPerience

    eXPerience Registered Member

    Joined:
    Apr 28, 2009
    Posts:
    98
    I actually don't understand why you guys never sujested these, but anyway :

    please download Superantispyware, install and update
    please also download A-squared, install and update

    Please let them scan one by one and post back your results.

    Please be carefull with A-squared as it can bring back many False Positives.

    Thank you
     
  17. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Agreeing to disagree. ;)

    BTW, please don't try to involve Tony Klein in the discussion, he respect me and I respect him. Simple, isn't? :)

    <S>
     
  18. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Your opening comment was fine without finding a way to pollute your post with what followed. His remark held nothing untoward. Furthermore, he was respectful enough to take the time and clarify his reasoning. As far as those concerned, this thread for the time being may as well be closed. It goes nowhere but downhill without continued input from the OP. If he needed to re-open it, he could just as easily pm one of the mods.
     
    Last edited: May 25, 2009
Loading...
Thread Status:
Not open for further replies.