Removing Something Bad

[g4m3rof1337]

Before I start, I'm typing this on my Blackberry, while in the car, and no, I'm not driving.

Alright, so I was at a LAN and we were installing files and we all got infected with some virus, trojan, worm or something.

I was using Avast and the time and I first chose ignore all, because I thought it was freaking out, so afterwards I find out it affected everyone. So I ran Avast! and it found something, so I deleted it and then I restored to 3am earlier today, when I last updated Windows, and then uninstalled Avast! And installed AVG and scanned that for about 30 mins and nothing came up, I also ran Spybot S&D and nothing came up, and in Ad-Aware 2 tracking cookies were found, but yeah..


Anyways, I'm not sure if I had it, but some of the guys got something called Sality or something, and we researched it and found out it was a back door/keylogger..



What do I do now?




Thanks.

 

[voyagerfan99]

I'd try running Malware Bytes. That may find it.

I'm not sure if a system restore to before the LAN would get rid of it or not.

 

[Respital]

This is defiantly very bad.

How many people were there at the LAN when this happened?

I'd try getting the logs from the sticky from each of them, although that's a hard task you live and learn.

 

[g4m3rof1337]

Well, how would I know if I'm infected?

Everything seems to be running fine..



Thanks.

 

[mep916]

Derek, you gotta start with the steps here...

http://www.computerforum.com/131398-important-please-read-before-posting.html

Malwarebytes will remove some, if not all, the infections. the HiJackthis log -- after running Malwarebytes -- will tell us where your PC is at the moment, and whether or not further action is needed.

 

[g4m3rof1337]

Thanks Mike, I ran MalwareBytes when it was suggested earlier, and three threats were found right off the bat, and I aborted the scan and remove them, and restarted the scan, and so far...Wow, just checked it as I was typing and 22 infections were found... Lol.

 

[mep916]

Be sure to post the logs.

 

[g4m3rof1337]

Be sure to post the logs.

Will do, do you want me to publicly post them, or PM them to someone?


Thanks.

 

[mep916]

Post them in this thread. i'll let ceewi1 and Buzz know, or they'll see it themselves.

 

[g4m3rof1337]

Tada..!

Malwarebytes' Anti-Malware 1.30
Database version: 1375
Windows 6.0.6001 Service Pack 1

11/9/2008 1:22:51 AM
mbam-log-2008-11-09 (01-22-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 152414
Time elapsed: 1 hour(s), 13 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 11
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files (x86)\AskSBar\bar\1.bin\A2PLUGIN.DLL (Adware.MyWebSearch) -> No action taken.
C:\Program Files (x86)\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> No action taken.
C:\Program Files (x86)\Mozilla Firefox\plugins\NPAskSBr.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{f0d4b230-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{f0d4b23a-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{f0d4b23c-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{b15fd82e-85bc-430d-90cb-65db1b030510} (Adware.AskSBAR) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files (x86)\AskSBar\bar\1.bin\A2HIGHIN.EXE (Trojan.Agent) -> No action taken.
C:\Program Files (x86)\AskSBar\bar\1.bin\A2PLUGIN.DLL (Adware.MyWebSearch) -> No action taken.
C:\Program Files (x86)\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> No action taken.
C:\Program Files (x86)\AskSBar\bar\1.bin\NPASKSBR.DLL (Trojan.Agent) -> No action taken.
C:\Program Files (x86)\Mozilla Firefox\plugins\NPAskSBr.dll (Trojan.Agent) -> No action taken.
C:\Users\GoC_Derek\AppData\Roaming\Desktopicon\eBayShortcuts.exe (Trojan.Agent) -> No action taken.

 

[mep916]

Run Malwarebytes again. When finished with the scan, select "Remove selected." In your log, see where each item says "No action taken?" You didn't do anything. lol. After that, run Hijackthis and post the log after the new Malwarebytes log. If you need to, carefully read through these steps again.

 

[g4m3rof1337]

A friend told me ESET NOD32 Antivirus removes anything harmful, and strongly recommends it, so I used the trial and ran a full standard scan, for an hour, and towards the end, it found 1 infiltration, and it was in the Windows section, and it cleaned it up.


Everything seems to be running fine now.

 

[Respital]

A friend told me ESET NOD32 Antivirus removes anything harmful, and strongly recommends it, so I used the trial and ran a full standard scan, for an hour, and towards the end, it found 1 infiltration, and it was in the Windows section, and it cleaned it up.


Everything seems to be running fine now.

Derek, that's what you said when Malwarebytes detected a lot of infected files and such, please continue with meps' instructions because you took no action against the infection and you are still infected.

Also please refrain from running any detection programs unless asked too, and please do not install any programs until your computer is pronounced clean.

Run Malwarebytes again. When finished with the scan, select "Remove selected." In your log, see where each item says "No action taken?" You didn't do anything. lol. After that, run Hijackthis and post the log after the new Malwarebytes log. If you need to, carefully read through these steps again.

 

[voyagerfan99]

A friend told me ESET NOD32 Antivirus removes anything harmful, and strongly recommends it, so I used the trial and ran a full standard scan, for an hour, and towards the end, it found 1 infiltration, and it was in the Windows section, and it cleaned it up.


Everything seems to be running fine now.

We sell NOD32 at work. I'll be sure to let my boss know it helped you.

 

[g4m3rof1337]

Derek, that's what you said when Malwarebytes detected a lot of infected files and such, please continue with meps' instructions because you took no action against the infection and you are still infected.

Also please refrain from running any detection programs unless asked too, and please do not install any programs until your computer is pronounced clean.

It must have removed them because I reran the scan, and nothing came up.

 

[Respital]

It must have removed them because I reran the scan, and nothing came up.

Then please finish with the rest of mep' instructions.

 

[g4m3rof1337]

I started Malwarebytes, and just got home, and it says the scan ran for about 41 minutes and here is the log.

Malwarebytes' Anti-Malware 1.30
Database version: 1375
Windows 6.0.6001 Service Pack 1

11/9/2008 3:06:28 PM
mbam-log-2008-11-09 (15-06-28).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 181526
Time elapsed: 41 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[mep916]

It would help to have an updated HiJackthis log, but the Malwarebytes log obviously looks good.

 

[g4m3rof1337]

Alright, what exactly does a Hijack log show..? Anything personal?



Thanks.

 

[RRA_Incognito]

Alright, what exactly does a Hijack log show..? Anything personal?



Thanks.

Nothing too personal.
Basically what programs are running and whatnot. It's safe to post.