Is my computer still infected?

Discussion in 'Malware Help (A Specialist Will Reply)' started by favabean, Apr 24, 2006.

  1. favabean

    favabean Private E-2

    Prior to finding this website, I had downloaded Spyware Doctor; the first scan detected 84 infections. It took three additional scans to remove all the detectable infections. I have attached the log from the scans.

    Step 0
    1. Found no Malware via Add/Remove
    2. Emptied recycle bin

    Step 1
    [Not yet performed]

    Step 2
    Enabled

    Step 3
    Only Norton installed

    Step 4
    Wasn't able to install Microsoft Windows Defender - Microsoft could not validate authenticity of OS; installed CounterSpy instead

    Step 5
    Ccleaner:
    Deleted about 45MB worth of stuff

    Microsoft Windows Malicious Software Removal Tool:
    0 infections

    AD-Aware SE:
    0 infections

    SpyBot:
    2 infections -
    Jupilites
    Windows.ActiveDesktop

    CounterSpy:
    no threats detected

    Also ran CWShredder, Kill2Me and smitRem

    Step 6
    Bitdefender:
    See log (ran 2 scans, both logs included)

    Panda ActiveScan:
    See log

    Ewido Security Suite:
    Ewido quarantined the following infections:
    Not-A-Virus.SpamTool.Win32.Agent.g (in C:\System Volume Information\...)
    Adware.BHO (in C:\WINDOWS\SYSTEM32\winbrume.dll)
    TrackingCookie.Hitbox (2) (in C:\RECYCLER\...)

    The computer is still slow at startup; can I assume that is partly attributable to the # of anti-spyware programs that I have installed.

    Step 7
    HijackThis:
    See log hijackthis_v1.log

    I then removed 3 files, 2 containing eventwvr.exe; 1 containing winbrume.dll

    See log hijackthis_v2.log
    (It looks like I had task manager running while doing the scan, is that a problem?)

    Checking Windows Task Manager, I have “SYSTEM” (NOT system.exe) showing up as one of the processes, is “SYSTEM” a trojan or a legitimate processes?

    I also have two unfamiliar icons on my desktop: desktop.ini and p2p.dll; p2p showed up a while back, not sure if it is because of something I installed; is desktop.ini showing up because I have unhidden all the files? Is it something to worry about?

    Can you please let me know if my computer is still infected?

    Since I stupidly purchased Spyware Doctor while the computer was infected, I have since cancelled the credit card used to make the purchase. Other information that was compromised in the process includes billing address and gmail address/password. I am not sure what kind of information the various malwares can detect/extract; I have passwords saved as notes in Outlook, are those safe? Should I reset all my passwords just in case? What other precautions would you suggest given the types of infection I was afflicted with?

    Thank you so much for the help. This whole process has been extremely nerve-racking.
     

    Attached Files:

    favabean, Apr 24, 2006
    #1
  2. favabean

    favabean Private E-2

    more attachments
     

    Attached Files:

    favabean, Apr 24, 2006
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    SpywareDoctor picked up signs of the below:

    IMPORTANT NOTE: You have been infected with a TWO Password Stealing Trojans: Trojan.W32.Torpig

    See this links for what you have: http://www.liutilities.com/products/wintaskspro/processlibrary/ibm00001/


    Since you appear to use this PC for financial related matters, you must take this possible threat seriously.

    You are strongly advised to do the following immediately:
    1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned. If you have network compters, start checking them for problems too.
    2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
    3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
    Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

    The below files are realated to this trojan:
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe

    Look for anything in this Web Folders directory that use the ibm00 characters to start a file name and delete them all. Also look for a file named tmp.tmp in this folder and delete it too if found.

    Also delete any of the below if found:
    C:\secure32.html
    C:\WINDOWS\emdat.tmp
    C:\WINDOWS\system32\Drivers\sysbus32.sys
    C:\WINDOWS\system32\parad.raw.exe
    C:\WINDOWS\system32\senssrv.dll
    C:\WINDOWS\system32\taskdir.dll
    C:\WINDOWS\uninstDsk.exe
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IJ234NO7\gotbwbpi[1].txt
    C:\Program Files\paytime.exe

    I see you have Ewido! Is it a trial version or paid version! Either way run a full scan with it and attach the log.

    You said your copy of Spyware Doctor is paid for but why was everything in the log ignore instead of being fixed?

    Yes having SpywareDoctor, Ewido, and CounterSpy all installed at the same time is going to impact PC performance. If all of these are trials you need to look into getting on real paid version of a malware blocking tool like these. Since you cannot get MS Windows Defender to work (which is free) you have no choice but to buy one. If you cannot buy one, then you should uninstall these three and use Spybot's Teatimer (I don't normally like to do that).

    There is nothing in you HJT log but you do need to get the current version of Sun Java installed and then uninstall any old versions you have.
     
    Last edited: Apr 24, 2006
    chaslang, Apr 24, 2006
    #3
  4. favabean

    favabean Private E-2

    Thank you for getting back to me.
    I have looked under the Web Folder directory and elsewhere, and found none of the files you listed.
    I ran a full scan on Ewido, and it found nothing; pls see attached log.
    The copy of Spyware Doctor I have is a paid version. After the first scan, I either reclicked the SCAN button by accident, or thought that I should have ran the scan in safe mode and started over. It is all a bit fuzzy now; I was in a state of panic. The first scan picked up 84 infections (which weren't fixed), the second 77, the third 5, and the fourth 2. I have since ran several more scans and it has found no further infections. I just ran a full scan; again, nothing showed up. pls see log.
    I will update Sun Java as instructed.
    Should I run hijackthis again?
    When should I disable/enable system restore?
    Thanks again for all your help.
     

    Attached Files:

    favabean, Apr 26, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay SpywareDoctor probably removed what it was finding. However since you did have these items on your PC, it does mean that you were at risk at some point from these trojans. It would still be in your best interest to verify with your financial institutions that no illegal activity has occurred. Also while it may be an inconvience, it is in your best interest of security, to change all of your passwords. The hackers may or may not have them and may or may not have used them yet!

    No I do not need another HJT log. Yours was clean.

    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Apr 26, 2006
    #5
  6. favabean

    favabean Private E-2

    Really appreciate the feedback, chaslang!
    You are right, it is better safe than sorry, I will follow through with the recommendations listed in the first reply post.
    I am not sure if I will be able to use this computer for financial transactions again. Could be just my paranoia but it is hard to believe that this computer is fully cleansed...
    Should I uninstall CounterSpy and Ewido, since both are trial versions?
    Do you have a preference between Opera and FireFox?
    I can't tell you how grateful I am for this forum. Many thanks again!
     
    favabean, Apr 26, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your PC is more than likely pretty safe! However make sure you complete ALL steps in the How to protect thread.

    Yes you should uninstall CounterSpy and Ewido trials now.

    I personally prefer FireFox.
     
    chaslang, Apr 27, 2006
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds