Solve : computer infectd here are the logs requested? – InterviewSolution

InterviewSolution

1.	Solve : computer infectd here are the logs requested?
Answer» Hello. I am SuperDave's teacher for malware removal. These in the ComboFix log show major SYSTEM file infections (you are lucky your computer boots right now): c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\svchost.exe . . . is infected!! c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\svchost.exe . . . is infected!! c:\windows\system32\spoolsv.exe . . . is infected!! c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\svchost.exe . . . is infected!! c:\windows\system32\spoolsv.exe . . . is infected!! c:\windows\explorer.exe . . . is infected!! -- Previous Run -- c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\svchost.exe . . . is infected!! c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\svchost.exe . . . is infected!! c:\windows\system32\spoolsv.exe . . . is infected!! c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\svchost.exe . . . is infected!! c:\windows\system32\spoolsv.exe . . . is infected!! c:\windows\explorer.exe . . . is infected!! -------- c:\windows\system32\userinit.exe . . . is infected!! -- Previous Run -- c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\svchost.exe . . . is infected!! c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\svchost.exe . . . is infected!! c:\windows\system32\spoolsv.exe . . . is infected!! c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\svchost.exe . . . is infected!! c:\windows\system32\spoolsv.exe . . . is infected!! c:\windows\explorer.exe . . . is infected!! -------- c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! -- Previous Run -- c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\svchost.exe . . . is infected!! c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\svchost.exe . . . is infected!! c:\windows\system32\spoolsv.exe . . . is infected!! c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\svchost.exe . . . is infected!! c:\windows\system32\spoolsv.exe . . . is infected!! c:\windows\explorer.exe . . . is infected!! -------- c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\svchost.exe . . . is infected!! -- Previous Run -- c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\svchost.exe . . . is infected!! c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\svchost.exe . . . is infected!! c:\windows\system32\spoolsv.exe . . . is infected!! c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\svchost.exe . . . is infected!! c:\windows\system32\spoolsv.exe . . . is infected!! c:\windows\explorer.exe . . . is infected!! -------- c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\svchost.exe . . . is infected!! c:\windows\system32\spoolsv.exe . . . is infected!! -- Previous Run -- c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\svchost.exe . . . is infected!! c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\svchost.exe . . . is infected!! c:\windows\system32\spoolsv.exe . . . is infected!! c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\svchost.exe . . . is infected!! c:\windows\system32\spoolsv.exe . . . is infected!! c:\windows\explorer.exe . . . is infected!! -------- c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\svchost.exe . . . is infected!! c:\windows\system32\spoolsv.exe . . . is infected!! c:\windows\explorer.exe . . . is infected!! -------- c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\lsass.exe . . . is infected!! c:\windows\system32\svchost.exe . . . is infected!! c:\windows\system32\spoolsv.exe . . . is infected!! c:\windows\explorer.exe . . . is infected!! =================================== This in the ComboFix log also shows Virut infection: ------- Sigcheck ------- [-] 2009-09-26 . 4DA2350BD3A2A4CADADF36CA84D25636 . 30208 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\lsass.exe [-] 2009-09-26 . 36F24DCCBDCDFC9E6E09263841218A6D . 30208 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\lsass.exe [-] 2009-09-26 . 36F24DCCBDCDFC9E6E09263841218A6D . 30208 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe [-] 2009-09-26 . 5543AE20C2B5A3F38EE987AE4CFAC169 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe [-] 2009-09-26 . 5543AE20C2B5A3F38EE987AE4CFAC169 . 75264 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe [-] 2004-08-04 . 6C181FDA12BBF882019ADB003325A53C . 57856 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe [-] 2009-09-26 . 83D9FBF4BDFB6B09A80482159B9E24D5 . 519168 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe [-] 2009-09-26 . 206316CBFC51823A24F720CB20C4540A . 524800 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe [-] 2009-09-26 . 206316CBFC51823A24F720CB20C4540A . 524800 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe [-] 2009-09-26 . 870CDD8B38CE6EF9B87166A497CA8653 . 31232 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\svchost.exe [-] 2009-09-26 . 507D0252EC8ECC0EB99BD33B9600C556 . 31232 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe [-] 2009-09-26 . 507D0252EC8ECC0EB99BD33B9600C556 . 31232 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe [-] 2009-09-26 . 4B7E7EC46DE485912CA0CC98F85B1761 . 43008 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\userinit.exe [-] 2009-09-26 . 4B7E7EC46DE485912CA0CC98F85B1761 . 43008 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe [-] 2009-09-26 . 8AECD40E1311BBAC619C88DF7F85C06A . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe [-] 2009-09-26 . 8AECD40E1311BBAC619C88DF7F85C06A . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe [-] 2004-08-04 . 143BE67A0947BF55E53A831337AD4747 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe [-] 2009-09-26 . A9E91CFB9C428BA941E440CC231C1638 . 30720 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\wscntfy.exe [-] 2009-09-26 . A9E91CFB9C428BA941E440CC231C1638 . 30720 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe [-] 2004-08-04 . 05BC6D5C48C87F8143A3DC2386D0F5FE . 13824 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe [-] 2009-09-26 . E7F92CD27E2AA05071924369743E563D . 32768 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe [-] 2009-09-26 . E7F92CD27E2AA05071924369743E563D . 32768 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe [-] 2004-08-04 . 8A609F260EBBB6CAC35DA8F0121C6B25 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe ============================================ So, either follow my advice here, or just ignore it. If you ignore it, your computer will probably not work in the future, until someone fixes it. If we try to fix the computer, the system files will still be damaged, and you will get tons of system errors, which will lead to your computer eventually not booting anymore. Thanks!I am in complete agreement with DragonMaster Jay. If your computer is still running, you should take this opportunity to back-up your important files before re-formatting. I've have included some important information about this below. Backing up files before formatting If you backup any files they should be scanned from a clean properly protected PC before restoring. Also be careful what scanner is used as some are very poor at detecting and even worse at protecting from this infection. In fact due to the nature of these new infections there are probably no tools that will properly protect you from the infection. Be very selective and only backup files you can not replace like text documents and personal photos. Do not back up to another machine! It will likely become infected by Virut. Burn to DVD/CD, a flash drive or to an external drive which has nothing else on it and which you can format should it become infected from the backups. I suggest running at least 3 of the below scanners on the backup files. Run the first scan then reboot before running the second then reboot after the second before running the third. -) Dr.Web CureIt! -) AVG Win32/Virut Removal Tool -) Symantwc W32.Virut Removal Tool -) McAfee Avert Stinger -) Microsoft Windows Malicious Software Removal Tool If you do not know how to perform a fresh install, use this website -> www.windowsreinstall.com/ Very important, do the following immediately or as soon as possible! If you have done any online transactions, call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts and/or change all of your account numbers. From a clean computer change all of your online passwords including for email, banks, financial accounts, PayPal, eBay, online credit card companies and any online forums or GROUPS you belong to etc. DO NOT change passwords or do any transactions while using the infected computer. The attacker will get the new passwords and transaction information. ============================ Here's some additional information which will be useful after you reformat. I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before IMMUNIZING. Spybot - Search & Destroy FAQ Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors. Remember only install ONE firewall 1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one) 2) Online Armor 3) Agnitum Outpost 4) PC Tools Firewall Plus If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. SIMPLY put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Discussion

No Comment Found

Related InterviewSolutions