TechSpot

I have weird files in my shared docs (keygens)

By spencer22l
Nov 15, 2008
  1. From some times ago I am seeing these unknown and random keygens and suspicious looking files.
    I deleted all of them but they come back!
    My anti virus software (runs on BitDefender engine) doesn't say anything.
    I downloaded Malwarebytes to perform full scan and got rid of everything. I use Comodo for firewall and it doesn't say anything either, but I get message on startup saying it closed System Performance Analysis Tools or something and I think this is
    related to these files.

    I've also just ran Kaspersky Online Scanner and it said 1 was infected.Trojan.Win32.Agen.Ambb is the name.C:WINDOWS/pss/userinit.exe
    I have found that file in my msconfig->startup so I unchecked it many times but failed. What should I do?
    Help me please!
     
  2. spencer22l

    spencer22l TS Rookie Topic Starter Posts: 53

    Sorry for not following the 8 step solution. I just read a post from googling and
    was in a hurry =( I am performing superAntispyware scan now.
    I will re upload with everything ready when completed. Sorry ^^
     
  3. spencer22l

    spencer22l TS Rookie Topic Starter Posts: 53

    The 3 logs attachment

    These are the 3 logs needed
    Please help me!
     
  4. rf6647

    rf6647 TS Maniac Posts: 829

    Welcome to TS.

    Your logs show good progress.

    Repeat running MBAM quick scans & save log each time, until log is clean or there is no change to infections detected.

    Restart anytime the log indicates action on reboot.

    Run MBAM full scan to go to the file/folder level.
    Run SAS & HJT

    Report you experiences.

    Post logs.

    The collection of MBAB logs may be consulted In connection with ComboFix (if & when).

    Sorry, I must charge out the door.
     
  5. spencer22l

    spencer22l TS Rookie Topic Starter Posts: 53

    Here....

    I did as you told me,
    ran Malware quick scan until nothing was found.
    Then did a full scan.
    Then the SAS and HJT.
    The logs are all uploaded.

    Now what should i do?
     
  6. rf6647

    rf6647 TS Maniac Posts: 829

    You have passed the crisis stage, alright.

    How are things?

    We will use ComboFix for finishing touches. I want to observe the handling of this remanant that was knock down by MBAM
    Follow the directions courtesy of Blind Dragon

    Post this log, follow by HJT log.
     
  7. spencer22l

    spencer22l TS Rookie Topic Starter Posts: 53

    Things are fine so far
    I have got no new file in my shared docs.

    And here are your logs
    Thank you for helping me ^^
     

    Attached Files:

  8. rf6647

    rf6647 TS Maniac Posts: 829

    replyvb5798

    Another specialist will be called upon to interpret the ComboFix Log. My frazzled brain can't see through the clutter. Generally, what remains are fragments with no registry key to re-activate the infection.

    It is the weekend, so it may take an extra day for this. The clean up instructions will follow what mflynn has been posting lately.

    Enjoy Computing.
     
  9. spencer22l

    spencer22l TS Rookie Topic Starter Posts: 53

    Alright thanks

    Okay, I'll just wait,
    and I've got NOD32 Antivirus + Comodo Firewall activated.
    Also I undid DMZ setting on my router to be more secure.
    I was using DMZ cus my Battlenet wouldn't work even if I set the port forwarding.
    Anyways thank you for your help
     
  10. momok

    momok TS Rookie Posts: 2,265

    These are the following Combofix/CFScript instructions.

    1. Open notepad and copy/paste the text in the quote box below into it:

    2. Save this as "CFScript.txt" on the desktop.
    3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
      [​IMG]
    4. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
      Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

    Thereafter, please post a fresh HJT log as well as the resultant ComboFix log from the above instructions as attachments into this thread.


    Also, please let me know the details/contents/usage of these files and folders in FULL:

    c:\documents and settings\lee\WINDOWS
    c:\program files\Umile
    c:\documents and settings\All Users\Application Data\{96F5B506-0F68-4EDB-AD12-CF915081579C}
    c:\\Documents and Settings\\lee\\Desktop\\mine\\Settings\\loginscreen\\Echi\\wide.exe
     
  11. spencer22l

    spencer22l TS Rookie Topic Starter Posts: 53

    I did as you told me to do.
    And here are the logs.

    And the progrmas :
    1) c:\documents and settings\lee\WINDOWS
    2) c:\program files\Umile
    3) c:\documents and settings\All Users\Application Data\{96F5B506-0F68-4EDB-AD12-CF915081579C}
    4) c:\\Documents and Settings\\lee\\Desktop\\mine\\Settings\\loginscreen\\Echi\\wide.exe

    1) I do not know what that is it is a folder with "system" folder in it but its empty completely. I checked show hidden files + folders and hide protected operating system files. But nothing.

    2)I'm Korean and it's a Korean Encoding software, I'm pretty sure it's safe because
    it's a pretty popular freeware or shareware Korean Encoding Software.

    3) I didn't know what it was so I followed the path and now I know. It's IconPackger,
    it's not free I'm only using a trial and it changes all icons easily.

    4) That is a log in screen for windows XP. Use with Logon Loader. So when I turn on my computer and after windows screen it's not "welcome" by Windows. It's something else. Whatever I chose.

    Hope everything is going well.
    Thank you for helping me =)
     
  12. spencer22l

    spencer22l TS Rookie Topic Starter Posts: 53

    I downloaded Kaspersky Internet Security Trial
    and did Full Scan and deleted all the threats detected,
    because on Kaspersky Scan I found what I was looking for...

    What else should I do?
     
  13. rf6647

    rf6647 TS Maniac Posts: 829

    I realize that this is not a timely reply. The log confirmed the deletion of the files from the script.

    It's to your credit that you were able to find the tool that ultimately solved your problem.

    All the logs submitted indicated the infections were treated.

    However, it appears that we focussed on what the tools produced. Re-read of your first post complained of 'keygens' appearing in shared docs. ComboFix generates a list of files created in the 30-day window, but any suggestion of 'strangeness' was missed.

    Here are clean up instructions provided by Blind Dragon. Follow the general instructions following the separator (======).
     
  14. spencer22l

    spencer22l TS Rookie Topic Starter Posts: 53

    Thank you, I have noticed that I haven't got
    any of those weird keygens or hacking tools in my doc any more! =)

    I have followed the clean up instruction until the last one.
    THe spywareblaster, should I get it too? because I'm using
    Kaskpersky Internet Security 2009 and I heard using many spyware protection,
    antivirus software together might cause computer to crash and such,
    If it's okay I will download and use it but should I??
     
  15. rf6647

    rf6647 TS Maniac Posts: 829

    Go with your instinct. BD has his personal favorites.
    And, yes, too much protection will hurt performance, or undo some aspect of other protections.

    My Case: ZA Internet Security Suite reverses changes to 'host' made by SpyBot.

    I have avoided using spywareblaster for the very same reason - what I have is working just fine. And life is too short to learn about yet another new program.

    Having said that - I'll be struck by malware only spywareblaster can handle. :confused:
     
  16. spencer22l

    spencer22l TS Rookie Topic Starter Posts: 53

    Ok, hopefully both of our anti virus can handle all the ones
    that spywareblaster can =)
    Thank you once again ^^;
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...