TechSpot

Infected computer - please help

By marygg
Dec 5, 2008
  1. I have cleaned up this computer so it now connects to the internet. It had much malware. I tried to clean up as much as I could. Could someone please help me with the enclosed scan logs. Thanks.
     
  2. rf6647

    rf6647 TS Maniac Posts: 931

    You’re about done with this. - -Continue with procedure
    Successive scans are used to uncover additional infections, since masking is common with many infestations. When a tool reports something it can not clean, that's when the strategy calls for a stronger scan program​
    • Update both MBAM & SAS. Rerun them both.

    • This effort is complete when logs report NO infections/threats, or reporting something it can not clean.
      • Typically extra repeat scans are not needed
      .
    • Posts logs. Report progress & what changes are observed. Include logs that found infections.
     
  3. marygg

    marygg TS Enthusiast Topic Starter Posts: 135

    The two scans are now clean. I think I see some potential problems on Hijack This but I will wait to hear from you. Thank you so much for your help.
     
  4. rf6647

    rf6647 TS Maniac Posts: 931

    Adding some specifics helps with performing the analysis. Symptoms and observations add to the technical picture. Having said that 'winrpcmx.exe' is toxic.

    Here is some reading for you: Trojan - online banking credentials

    ComboFix is used for the next scan. ComboFix is a very effective tool that scans / fixes hard to clean infections. Additionally, it includes diagnostic information.
    • Uninstall old copy of ComboFix

    • Follow ComboFix instructions referenced below.

    • Restart the computer.

    • Scan with HJT. (part of instructions for ComboFix)

    • Posts logs. Report progress & what changes are observed.

     
  5. marygg

    marygg TS Enthusiast Topic Starter Posts: 135

    I had trouble downloading ComboFix so I ran it from a cd. The two scans are enclosed. Thanks for your help.
     
  6. rf6647

    rf6647 TS Maniac Posts: 931

    SDBot Trojan extremely dangerous

    I will ask another specialist to assist with removing this infection. You will see me add technical details to this reply to expose more of the infection.

    Please indicate that you understand that this infection threatens your identity, your accounts, and your passwords if this computer is used for online banking and commerce.

    1. This can give intruders complete control of your computer, logging key strokes, stealing information.

    2. You are strongly advised to disconnect infected computer immediately from any networked computers until the computer can be cleaned.

    3. If this computer is used for banking or commercial transactions online, take measures to protect your identity
      • While using the infected computer, Do NOT change passwords or do any transactions because the attacker will get the new passwords and transaction information.

    Script file is not complete.
    Code:
    File:: 
    c:\windows\system32\4scj05bs.exe
    c:\windows\system32\72NE7O0l.exe
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At10.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At12.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At14.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At16.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At18.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At20.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At22.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At24.job
    c:\windows\Tasks\At26.job
    c:\windows\Tasks\At27.job
    c:\windows\Tasks\At28.job
    c:\windows\Tasks\At29.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At30.job
    c:\windows\Tasks\At31.job
    c:\windows\Tasks\At32.job
    c:\windows\Tasks\At33.job
    c:\windows\Tasks\At34.job
    c:\windows\Tasks\At35.job
    c:\windows\Tasks\At36.job
    c:\windows\Tasks\At37.job
    c:\windows\Tasks\At38.job
    c:\windows\Tasks\At39.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At40.job
    c:\windows\Tasks\At41.job
    c:\windows\Tasks\At42.job
    c:\windows\Tasks\At43.job
    c:\windows\Tasks\At44.job
    c:\windows\Tasks\At45.job
    c:\windows\Tasks\At46.job
    c:\windows\Tasks\At47.job
    c:\windows\Tasks\At48.job
    c:\windows\Tasks\At49.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At6.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At8.job
    c:\windows\Tasks\At9.job
    
    
    Registry:: 
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark_X79-55]
    c:\windows\system32\lsasss.exe [N/A]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SManager]
    smanager.7.exe [N/A]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinRPC]
    winrpcmx.exe [N/A]
     
  7. marygg

    marygg TS Enthusiast Topic Starter Posts: 135

    Yes. I do understand. Is this problem fixable by hjt?
     
  8. rf6647

    rf6647 TS Maniac Posts: 931

    HJT is part of the solution. I am studying other cases as I pick through the combofix log. Another specialist will construct the script file and recommend a stronger scan tool.
     
  9. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    (please read) Is your system infected? Read this before Cleaning or Formatting

    Re-Open HJT
    Place a tick next to the following entries, and then select fix

    You still have Symantec (Norton) AntiVirus, running with Windows startup
    Please run the Norton Removal Tool from going here: http://www.techspot.com/vb/post586483-2.html

    Once Restarted, please do the following:

    Download and run CCleaner, then continue below

    [​IMG]Run Kaspersky Online AV Scanner

    In order to use it you have to use Internet Explorer.
    Go to
    Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply

    After Restarting your computer, please run a fresh HJT scan and attach that to a new reply.
    Also please report on the status of the running of your computer :)
     
  10. marygg

    marygg TS Enthusiast Topic Starter Posts: 135

    Sorry it took so long. The computer seems to be running fine. I had trouble with downloading Norton removal tool and the Kaspersky took several hours to run. The two logs are attached. Thanks.
     
  11. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Please re-open HJT, tick and fix the following:
     
     
  12. marygg

    marygg TS Enthusiast Topic Starter Posts: 135

    That task is done. Here's another hjt log.
     
  13. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Well, the log looks clean to me :) How's the system running?
     
  14. marygg

    marygg TS Enthusiast Topic Starter Posts: 135

    The system is running good. Thank you so much for your help.
     
  15. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Now would be a good time to install SP3, from Windows Update
     
  16. marygg

    marygg TS Enthusiast Topic Starter Posts: 135

    I originally started out with a conflict between sp3 and a dlink wireless adapter driver so I uninstalled sp3 to try to install the dlink. I plan to verify the driver works and reinstall sp3. Should I remove superantispyware and malwarebytes? Also hjt and combofix were already on this computer when I started working on it. Should I remove them?
     
  17. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Yes :)

    And if installing SP3 (good idea ;) ) Probably any other program (personal firewall etc)
     
  18. marygg

    marygg TS Enthusiast Topic Starter Posts: 135

    Ok. Again, thank you.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.